1
linux/drivers/spi/spidev.c

907 lines
23 KiB
C
Raw Normal View History

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 157 Based on 3 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms of the gnu general public license as published by the free software foundation either version 2 of the license or at your option any later version this program is distributed in the hope that it will be useful but without any warranty without even the implied warranty of merchantability or fitness for a particular purpose see the gnu general public license for more details this program is free software you can redistribute it and or modify it under the terms of the gnu general public license as published by the free software foundation either version 2 of the license or at your option any later version [author] [kishon] [vijay] [abraham] [i] [kishon]@[ti] [com] this program is distributed in the hope that it will be useful but without any warranty without even the implied warranty of merchantability or fitness for a particular purpose see the gnu general public license for more details this program is free software you can redistribute it and or modify it under the terms of the gnu general public license as published by the free software foundation either version 2 of the license or at your option any later version [author] [graeme] [gregory] [gg]@[slimlogic] [co] [uk] [author] [kishon] [vijay] [abraham] [i] [kishon]@[ti] [com] [based] [on] [twl6030]_[usb] [c] [author] [hema] [hk] [hemahk]@[ti] [com] this program is distributed in the hope that it will be useful but without any warranty without even the implied warranty of merchantability or fitness for a particular purpose see the gnu general public license for more details extracted by the scancode license scanner the SPDX license identifier GPL-2.0-or-later has been chosen to replace the boilerplate/reference in 1105 file(s). Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Allison Randal <allison@lohutok.net> Reviewed-by: Richard Fontana <rfontana@redhat.com> Reviewed-by: Kate Stewart <kstewart@linuxfoundation.org> Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190527070033.202006027@linutronix.de Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-05-26 23:55:06 -07:00
// SPDX-License-Identifier: GPL-2.0-or-later
/*
* Simple synchronous userspace interface to SPI devices
*
* Copyright (C) 2006 SWAPP
* Andrea Paterniani <a.paterniani@swapp-eng.it>
* Copyright (C) 2007 David Brownell (simplification, cleanup)
*/
#include <linux/init.h>
#include <linux/ioctl.h>
#include <linux/fs.h>
#include <linux/device.h>
#include <linux/err.h>
#include <linux/list.h>
#include <linux/errno.h>
#include <linux/mod_devicetable.h>
#include <linux/module.h>
#include <linux/mutex.h>
#include <linux/property.h>
#include <linux/slab.h>
#include <linux/compat.h>
#include <linux/spi/spi.h>
#include <linux/spi/spidev.h>
#include <linux/uaccess.h>
/*
* This supports access to SPI devices using normal userspace I/O calls.
* Note that while traditional UNIX/POSIX I/O semantics are half duplex,
* and often mask message boundaries, full SPI support requires full duplex
* transfers. There are several kinds of internal message boundaries to
* handle chipselect management and other protocol options.
*
* SPI has a character major number assigned. We allocate minor numbers
* dynamically using a bitmask. You must use hotplug tools, such as udev
* (or mdev with busybox) to create and destroy the /dev/spidevB.C device
* nodes, since there is no fixed association of minor numbers with any
* particular SPI bus or device.
*/
#define SPIDEV_MAJOR 153 /* assigned */
#define N_SPI_MINORS 32 /* ... up to 256 */
static DECLARE_BITMAP(minors, N_SPI_MINORS);
static_assert(N_SPI_MINORS > 0 && N_SPI_MINORS <= 256);
/* Bit masks for spi_device.mode management. Note that incorrect
* settings for some settings can cause *lots* of trouble for other
* devices on a shared bus:
*
* - CS_HIGH ... this device will be active when it shouldn't be
* - 3WIRE ... when active, it won't behave as it should
* - NO_CS ... there will be no explicit message boundaries; this
* is completely incompatible with the shared bus model
* - READY ... transfers may proceed when they shouldn't.
*
* REVISIT should changing those flags be privileged?
*/
#define SPI_MODE_MASK (SPI_MODE_X_MASK | SPI_CS_HIGH \
| SPI_LSB_FIRST | SPI_3WIRE | SPI_LOOP \
| SPI_NO_CS | SPI_READY | SPI_TX_DUAL \
| SPI_TX_QUAD | SPI_TX_OCTAL | SPI_RX_DUAL \
| SPI_RX_QUAD | SPI_RX_OCTAL \
| SPI_RX_CPHA_FLIP | SPI_3WIRE_HIZ \
| SPI_MOSI_IDLE_LOW)
struct spidev_data {
dev_t devt;
struct mutex spi_lock;
struct spi_device *spi;
struct list_head device_entry;
/* TX/RX buffers are NULL unless this device is open (users > 0) */
struct mutex buf_lock;
unsigned users;
u8 *tx_buffer;
u8 *rx_buffer;
u32 speed_hz;
};
static LIST_HEAD(device_list);
static DEFINE_MUTEX(device_list_lock);
static unsigned bufsiz = 4096;
module_param(bufsiz, uint, S_IRUGO);
MODULE_PARM_DESC(bufsiz, "data bytes in biggest supported SPI message");
/*-------------------------------------------------------------------------*/
spi: spidev: fix a recursive locking error When calling spidev_message() from the one of the ioctl() callbacks, the spi_lock is already taken. When we then end up calling spidev_sync(), we get the following splat: [ 214.047619] [ 214.049198] ============================================ [ 214.054533] WARNING: possible recursive locking detected [ 214.059858] 6.2.0-rc3-0.0.0-devel+git.97ec4d559d93 #1 Not tainted [ 214.065969] -------------------------------------------- [ 214.071290] spidev_test/1454 is trying to acquire lock: [ 214.076530] c4925dbc (&spidev->spi_lock){+.+.}-{3:3}, at: spidev_ioctl+0x8e0/0xab8 [ 214.084164] [ 214.084164] but task is already holding lock: [ 214.090007] c4925dbc (&spidev->spi_lock){+.+.}-{3:3}, at: spidev_ioctl+0x44/0xab8 [ 214.097537] [ 214.097537] other info that might help us debug this: [ 214.104075] Possible unsafe locking scenario: [ 214.104075] [ 214.110004] CPU0 [ 214.112461] ---- [ 214.114916] lock(&spidev->spi_lock); [ 214.118687] lock(&spidev->spi_lock); [ 214.122457] [ 214.122457] *** DEADLOCK *** [ 214.122457] [ 214.128386] May be due to missing lock nesting notation [ 214.128386] [ 214.135183] 2 locks held by spidev_test/1454: [ 214.139553] #0: c4925dbc (&spidev->spi_lock){+.+.}-{3:3}, at: spidev_ioctl+0x44/0xab8 [ 214.147524] #1: c4925e14 (&spidev->buf_lock){+.+.}-{3:3}, at: spidev_ioctl+0x70/0xab8 [ 214.155493] [ 214.155493] stack backtrace: [ 214.159861] CPU: 0 PID: 1454 Comm: spidev_test Not tainted 6.2.0-rc3-0.0.0-devel+git.97ec4d559d93 #1 [ 214.169012] Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree) [ 214.175555] unwind_backtrace from show_stack+0x10/0x14 [ 214.180819] show_stack from dump_stack_lvl+0x60/0x90 [ 214.185900] dump_stack_lvl from __lock_acquire+0x874/0x2858 [ 214.191584] __lock_acquire from lock_acquire+0xfc/0x378 [ 214.196918] lock_acquire from __mutex_lock+0x9c/0x8a8 [ 214.202083] __mutex_lock from mutex_lock_nested+0x1c/0x24 [ 214.207597] mutex_lock_nested from spidev_ioctl+0x8e0/0xab8 [ 214.213284] spidev_ioctl from sys_ioctl+0x4d0/0xe2c [ 214.218277] sys_ioctl from ret_fast_syscall+0x0/0x1c [ 214.223351] Exception stack(0xe75cdfa8 to 0xe75cdff0) [ 214.228422] dfa0: 00000000 00001000 00000003 40206b00 bee266e8 bee266e0 [ 214.236617] dfc0: 00000000 00001000 006a71a0 00000036 004c0040 004bfd18 00000000 00000003 [ 214.244809] dfe0: 00000036 bee266c8 b6f16dc5 b6e8e5f6 Fix it by introducing an unlocked variant of spidev_sync() and calling it from spidev_message() while other users who don't check the spidev->spi's existence keep on using the locking flavor. Reported-by: Francesco Dolcini <francesco@dolcini.it> Fixes: 1f4d2dd45b6e ("spi: spidev: fix a race condition when accessing spidev->spi") Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org> Tested-by: Max Krummenacher <max.krummenacher@toradex.com> Link: https://lore.kernel.org/r/20230116144149.305560-1-brgl@bgdev.pl Signed-off-by: Mark Brown <broonie@kernel.org>
2023-01-16 07:41:49 -07:00
static ssize_t
spidev_sync_unlocked(struct spi_device *spi, struct spi_message *message)
{
ssize_t status;
status = spi_sync(spi, message);
if (status == 0)
status = message->actual_length;
return status;
}
static ssize_t
spidev_sync(struct spidev_data *spidev, struct spi_message *message)
{
spi: spidev: fix a recursive locking error When calling spidev_message() from the one of the ioctl() callbacks, the spi_lock is already taken. When we then end up calling spidev_sync(), we get the following splat: [ 214.047619] [ 214.049198] ============================================ [ 214.054533] WARNING: possible recursive locking detected [ 214.059858] 6.2.0-rc3-0.0.0-devel+git.97ec4d559d93 #1 Not tainted [ 214.065969] -------------------------------------------- [ 214.071290] spidev_test/1454 is trying to acquire lock: [ 214.076530] c4925dbc (&spidev->spi_lock){+.+.}-{3:3}, at: spidev_ioctl+0x8e0/0xab8 [ 214.084164] [ 214.084164] but task is already holding lock: [ 214.090007] c4925dbc (&spidev->spi_lock){+.+.}-{3:3}, at: spidev_ioctl+0x44/0xab8 [ 214.097537] [ 214.097537] other info that might help us debug this: [ 214.104075] Possible unsafe locking scenario: [ 214.104075] [ 214.110004] CPU0 [ 214.112461] ---- [ 214.114916] lock(&spidev->spi_lock); [ 214.118687] lock(&spidev->spi_lock); [ 214.122457] [ 214.122457] *** DEADLOCK *** [ 214.122457] [ 214.128386] May be due to missing lock nesting notation [ 214.128386] [ 214.135183] 2 locks held by spidev_test/1454: [ 214.139553] #0: c4925dbc (&spidev->spi_lock){+.+.}-{3:3}, at: spidev_ioctl+0x44/0xab8 [ 214.147524] #1: c4925e14 (&spidev->buf_lock){+.+.}-{3:3}, at: spidev_ioctl+0x70/0xab8 [ 214.155493] [ 214.155493] stack backtrace: [ 214.159861] CPU: 0 PID: 1454 Comm: spidev_test Not tainted 6.2.0-rc3-0.0.0-devel+git.97ec4d559d93 #1 [ 214.169012] Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree) [ 214.175555] unwind_backtrace from show_stack+0x10/0x14 [ 214.180819] show_stack from dump_stack_lvl+0x60/0x90 [ 214.185900] dump_stack_lvl from __lock_acquire+0x874/0x2858 [ 214.191584] __lock_acquire from lock_acquire+0xfc/0x378 [ 214.196918] lock_acquire from __mutex_lock+0x9c/0x8a8 [ 214.202083] __mutex_lock from mutex_lock_nested+0x1c/0x24 [ 214.207597] mutex_lock_nested from spidev_ioctl+0x8e0/0xab8 [ 214.213284] spidev_ioctl from sys_ioctl+0x4d0/0xe2c [ 214.218277] sys_ioctl from ret_fast_syscall+0x0/0x1c [ 214.223351] Exception stack(0xe75cdfa8 to 0xe75cdff0) [ 214.228422] dfa0: 00000000 00001000 00000003 40206b00 bee266e8 bee266e0 [ 214.236617] dfc0: 00000000 00001000 006a71a0 00000036 004c0040 004bfd18 00000000 00000003 [ 214.244809] dfe0: 00000036 bee266c8 b6f16dc5 b6e8e5f6 Fix it by introducing an unlocked variant of spidev_sync() and calling it from spidev_message() while other users who don't check the spidev->spi's existence keep on using the locking flavor. Reported-by: Francesco Dolcini <francesco@dolcini.it> Fixes: 1f4d2dd45b6e ("spi: spidev: fix a race condition when accessing spidev->spi") Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org> Tested-by: Max Krummenacher <max.krummenacher@toradex.com> Link: https://lore.kernel.org/r/20230116144149.305560-1-brgl@bgdev.pl Signed-off-by: Mark Brown <broonie@kernel.org>
2023-01-16 07:41:49 -07:00
ssize_t status;
struct spi_device *spi;
mutex_lock(&spidev->spi_lock);
spi = spidev->spi;
if (spi == NULL)
status = -ESHUTDOWN;
else
spi: spidev: fix a recursive locking error When calling spidev_message() from the one of the ioctl() callbacks, the spi_lock is already taken. When we then end up calling spidev_sync(), we get the following splat: [ 214.047619] [ 214.049198] ============================================ [ 214.054533] WARNING: possible recursive locking detected [ 214.059858] 6.2.0-rc3-0.0.0-devel+git.97ec4d559d93 #1 Not tainted [ 214.065969] -------------------------------------------- [ 214.071290] spidev_test/1454 is trying to acquire lock: [ 214.076530] c4925dbc (&spidev->spi_lock){+.+.}-{3:3}, at: spidev_ioctl+0x8e0/0xab8 [ 214.084164] [ 214.084164] but task is already holding lock: [ 214.090007] c4925dbc (&spidev->spi_lock){+.+.}-{3:3}, at: spidev_ioctl+0x44/0xab8 [ 214.097537] [ 214.097537] other info that might help us debug this: [ 214.104075] Possible unsafe locking scenario: [ 214.104075] [ 214.110004] CPU0 [ 214.112461] ---- [ 214.114916] lock(&spidev->spi_lock); [ 214.118687] lock(&spidev->spi_lock); [ 214.122457] [ 214.122457] *** DEADLOCK *** [ 214.122457] [ 214.128386] May be due to missing lock nesting notation [ 214.128386] [ 214.135183] 2 locks held by spidev_test/1454: [ 214.139553] #0: c4925dbc (&spidev->spi_lock){+.+.}-{3:3}, at: spidev_ioctl+0x44/0xab8 [ 214.147524] #1: c4925e14 (&spidev->buf_lock){+.+.}-{3:3}, at: spidev_ioctl+0x70/0xab8 [ 214.155493] [ 214.155493] stack backtrace: [ 214.159861] CPU: 0 PID: 1454 Comm: spidev_test Not tainted 6.2.0-rc3-0.0.0-devel+git.97ec4d559d93 #1 [ 214.169012] Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree) [ 214.175555] unwind_backtrace from show_stack+0x10/0x14 [ 214.180819] show_stack from dump_stack_lvl+0x60/0x90 [ 214.185900] dump_stack_lvl from __lock_acquire+0x874/0x2858 [ 214.191584] __lock_acquire from lock_acquire+0xfc/0x378 [ 214.196918] lock_acquire from __mutex_lock+0x9c/0x8a8 [ 214.202083] __mutex_lock from mutex_lock_nested+0x1c/0x24 [ 214.207597] mutex_lock_nested from spidev_ioctl+0x8e0/0xab8 [ 214.213284] spidev_ioctl from sys_ioctl+0x4d0/0xe2c [ 214.218277] sys_ioctl from ret_fast_syscall+0x0/0x1c [ 214.223351] Exception stack(0xe75cdfa8 to 0xe75cdff0) [ 214.228422] dfa0: 00000000 00001000 00000003 40206b00 bee266e8 bee266e0 [ 214.236617] dfc0: 00000000 00001000 006a71a0 00000036 004c0040 004bfd18 00000000 00000003 [ 214.244809] dfe0: 00000036 bee266c8 b6f16dc5 b6e8e5f6 Fix it by introducing an unlocked variant of spidev_sync() and calling it from spidev_message() while other users who don't check the spidev->spi's existence keep on using the locking flavor. Reported-by: Francesco Dolcini <francesco@dolcini.it> Fixes: 1f4d2dd45b6e ("spi: spidev: fix a race condition when accessing spidev->spi") Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org> Tested-by: Max Krummenacher <max.krummenacher@toradex.com> Link: https://lore.kernel.org/r/20230116144149.305560-1-brgl@bgdev.pl Signed-off-by: Mark Brown <broonie@kernel.org>
2023-01-16 07:41:49 -07:00
status = spidev_sync_unlocked(spi, message);
mutex_unlock(&spidev->spi_lock);
return status;
}
static inline ssize_t
spidev_sync_write(struct spidev_data *spidev, size_t len)
{
struct spi_transfer t = {
.tx_buf = spidev->tx_buffer,
.len = len,
.speed_hz = spidev->speed_hz,
};
struct spi_message m;
spi_message_init(&m);
spi_message_add_tail(&t, &m);
return spidev_sync(spidev, &m);
}
static inline ssize_t
spidev_sync_read(struct spidev_data *spidev, size_t len)
{
struct spi_transfer t = {
.rx_buf = spidev->rx_buffer,
.len = len,
.speed_hz = spidev->speed_hz,
};
struct spi_message m;
spi_message_init(&m);
spi_message_add_tail(&t, &m);
return spidev_sync(spidev, &m);
}
/*-------------------------------------------------------------------------*/
/* Read-only message with current device setup */
static ssize_t
spidev_read(struct file *filp, char __user *buf, size_t count, loff_t *f_pos)
{
struct spidev_data *spidev;
ssize_t status;
/* chipselect only toggles at start or end of operation */
if (count > bufsiz)
return -EMSGSIZE;
spidev = filp->private_data;
mutex_lock(&spidev->buf_lock);
status = spidev_sync_read(spidev, count);
if (status > 0) {
unsigned long missing;
missing = copy_to_user(buf, spidev->rx_buffer, status);
if (missing == status)
status = -EFAULT;
else
status = status - missing;
}
mutex_unlock(&spidev->buf_lock);
return status;
}
/* Write-only message with current device setup */
static ssize_t
spidev_write(struct file *filp, const char __user *buf,
size_t count, loff_t *f_pos)
{
struct spidev_data *spidev;
ssize_t status;
unsigned long missing;
/* chipselect only toggles at start or end of operation */
if (count > bufsiz)
return -EMSGSIZE;
spidev = filp->private_data;
mutex_lock(&spidev->buf_lock);
missing = copy_from_user(spidev->tx_buffer, buf, count);
if (missing == 0)
status = spidev_sync_write(spidev, count);
else
status = -EFAULT;
mutex_unlock(&spidev->buf_lock);
return status;
}
static int spidev_message(struct spidev_data *spidev,
struct spi_ioc_transfer *u_xfers, unsigned n_xfers)
{
struct spi_message msg;
struct spi_transfer *k_xfers;
struct spi_transfer *k_tmp;
struct spi_ioc_transfer *u_tmp;
spi: spidev: only use up TX/RX bounce buffer space when needed This patch changes the way space is reserved in spidev's pre-allocated TX and RX bounce buffers to avoid wasting space in the buffers for an SPI message consisting of multiple, half-duplex transfers in different directions. Background: spidev data structures have separate, pre-allocated TX and RX bounce buffers (`spidev->tx_buffer` and `spidev->rx_buffer`) of fixed size (`bufsiz`). The `SPI_IOC_MESSAGE(N)` ioctl processing uses a kernel copy of the N `struct spi_ioc_transfer` elements copied from the userspace ioctl arg pointer. In these elements: `.len` is the length of transfer in bytes; `.rx_buf` is either a userspace pointer to a buffer to copy the RX data to or is set to 0 to discard the data; and `.tx_buf` is either a userspace pointer to TX data supplied by the user or is set to 0 to transmit zeros for this transfer. `spidev_message()` uses the array of N `struct spi_ioc_transfer` elements to construct a kernel SPI message consisting of a `struct spi_message` containing a linked list (allocated as an array) of N `struct spi_transfer` elements. This involves iterating through the `struct spi_ioc_transfer` and `struct spi_transfer` elements (variables `u_tmp` and `k_tmp` respectively). Before the first iteration, variables `tx_buf` and `rx_buf` point to the start of the TX and RX bounce buffers `spidev->tx_buffer` and `spidev->rx_buffer` and variable `total` is set to 0. These variables keep track of the next available space in the bounce buffers and the total length of the SPI message. Each iteration checks that there is enough room left in the buffers for the transfer. If `u_tmp->rx_buf` is non-zero, `k_tmp->rx_buf` is set to `rx_buf`, otherwise it remains set to NULL. If `u_tmp->tx_buf` is non-zero, `k_tmp->tx_buf` is set to `tx_buf` and the userspace TX data copied there, otherwise it remains set to NULL. The variables `total`, `rx_buf` and `tx_buf` are advanced by the length of the transfer. The "problem": While iterating through the transfers, the local bounce buffer "free space" pointer variables `tx_buf` and `rx_buf` are always advanced by the length of the transfer. If `u_tmp->rx_buf` is 0 (so `k_tmp->rx_buf` is NULL), then `rx_buf` is advanced unnecessarily and that part of `spidev->rx_buffer` is wasted. Similarly, if `u_tmp->tx_buf` is 0 (so `k_tmp->tx_buf` is NULL), part of `spidev->tx_buffer` is wasted. What this patch does: To avoid wasting space unnecessarily in the RX bounce buffer, only advance `rx_buf` by the transfer length if `u_tmp->rx_buf` is non-zero. Similarly, to avoid wasting space unnecessarily in the TX bounce buffer, only advance `tx_buf` if `u_tmp->tx_buf is non-zero. To avoid pointer subtraction, use new variables `rx_total` and `tx_total` to keep track of the amount of space allocated in each of the bounce buffers. If these exceed the available space, a `-EMSGSIZE` error will be returned. Limit the total length of the transfers (tracked by variable `total`) to `INT_MAX` instead of `bufsiz`, returning an `-EMSGSIZE` error if exceeded. The total length is returned by `spidev_message()` on success and we want that to be non-negative. The message size limits for the `SPI_IOC_MESSAGE(N)` ioctl are now as follows: (a) total length of transfers is <= INTMAX; (b) total length of transfers with non-NULL rx_buf is <= bufsiz; (c) total length of transfers with non-NULL tx_buf is <= bufsiz. Some transfers may have NULL rx_buf and NULL tx_buf. If the transfer is completed successfully by the SPI core, `spidev_message()` iterates through the transfers to copy any RX data from the bounce buffer back to userspace on those transfers where `u_tmp->rx_buf` is non-zero. The variable `rx_buf` is again used to keep track of the corresponding positions in the bounce buffer. Now it is only advanced for those transfers that use the RX bounce buffer. Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Mark Brown <broonie@kernel.org>
2015-02-16 08:00:47 -07:00
unsigned n, total, tx_total, rx_total;
u8 *tx_buf, *rx_buf;
int status = -EFAULT;
spi_message_init(&msg);
k_xfers = kcalloc(n_xfers, sizeof(*k_tmp), GFP_KERNEL);
if (k_xfers == NULL)
return -ENOMEM;
/* Construct spi_message, copying any tx data to bounce buffer.
* We walk the array of user-provided transfers, using each one
* to initialize a kernel version of the same transfer.
*/
tx_buf = spidev->tx_buffer;
rx_buf = spidev->rx_buffer;
total = 0;
spi: spidev: only use up TX/RX bounce buffer space when needed This patch changes the way space is reserved in spidev's pre-allocated TX and RX bounce buffers to avoid wasting space in the buffers for an SPI message consisting of multiple, half-duplex transfers in different directions. Background: spidev data structures have separate, pre-allocated TX and RX bounce buffers (`spidev->tx_buffer` and `spidev->rx_buffer`) of fixed size (`bufsiz`). The `SPI_IOC_MESSAGE(N)` ioctl processing uses a kernel copy of the N `struct spi_ioc_transfer` elements copied from the userspace ioctl arg pointer. In these elements: `.len` is the length of transfer in bytes; `.rx_buf` is either a userspace pointer to a buffer to copy the RX data to or is set to 0 to discard the data; and `.tx_buf` is either a userspace pointer to TX data supplied by the user or is set to 0 to transmit zeros for this transfer. `spidev_message()` uses the array of N `struct spi_ioc_transfer` elements to construct a kernel SPI message consisting of a `struct spi_message` containing a linked list (allocated as an array) of N `struct spi_transfer` elements. This involves iterating through the `struct spi_ioc_transfer` and `struct spi_transfer` elements (variables `u_tmp` and `k_tmp` respectively). Before the first iteration, variables `tx_buf` and `rx_buf` point to the start of the TX and RX bounce buffers `spidev->tx_buffer` and `spidev->rx_buffer` and variable `total` is set to 0. These variables keep track of the next available space in the bounce buffers and the total length of the SPI message. Each iteration checks that there is enough room left in the buffers for the transfer. If `u_tmp->rx_buf` is non-zero, `k_tmp->rx_buf` is set to `rx_buf`, otherwise it remains set to NULL. If `u_tmp->tx_buf` is non-zero, `k_tmp->tx_buf` is set to `tx_buf` and the userspace TX data copied there, otherwise it remains set to NULL. The variables `total`, `rx_buf` and `tx_buf` are advanced by the length of the transfer. The "problem": While iterating through the transfers, the local bounce buffer "free space" pointer variables `tx_buf` and `rx_buf` are always advanced by the length of the transfer. If `u_tmp->rx_buf` is 0 (so `k_tmp->rx_buf` is NULL), then `rx_buf` is advanced unnecessarily and that part of `spidev->rx_buffer` is wasted. Similarly, if `u_tmp->tx_buf` is 0 (so `k_tmp->tx_buf` is NULL), part of `spidev->tx_buffer` is wasted. What this patch does: To avoid wasting space unnecessarily in the RX bounce buffer, only advance `rx_buf` by the transfer length if `u_tmp->rx_buf` is non-zero. Similarly, to avoid wasting space unnecessarily in the TX bounce buffer, only advance `tx_buf` if `u_tmp->tx_buf is non-zero. To avoid pointer subtraction, use new variables `rx_total` and `tx_total` to keep track of the amount of space allocated in each of the bounce buffers. If these exceed the available space, a `-EMSGSIZE` error will be returned. Limit the total length of the transfers (tracked by variable `total`) to `INT_MAX` instead of `bufsiz`, returning an `-EMSGSIZE` error if exceeded. The total length is returned by `spidev_message()` on success and we want that to be non-negative. The message size limits for the `SPI_IOC_MESSAGE(N)` ioctl are now as follows: (a) total length of transfers is <= INTMAX; (b) total length of transfers with non-NULL rx_buf is <= bufsiz; (c) total length of transfers with non-NULL tx_buf is <= bufsiz. Some transfers may have NULL rx_buf and NULL tx_buf. If the transfer is completed successfully by the SPI core, `spidev_message()` iterates through the transfers to copy any RX data from the bounce buffer back to userspace on those transfers where `u_tmp->rx_buf` is non-zero. The variable `rx_buf` is again used to keep track of the corresponding positions in the bounce buffer. Now it is only advanced for those transfers that use the RX bounce buffer. Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Mark Brown <broonie@kernel.org>
2015-02-16 08:00:47 -07:00
tx_total = 0;
rx_total = 0;
for (n = n_xfers, k_tmp = k_xfers, u_tmp = u_xfers;
n;
n--, k_tmp++, u_tmp++) {
/* Ensure that also following allocations from rx_buf/tx_buf will meet
* DMA alignment requirements.
*/
unsigned int len_aligned = ALIGN(u_tmp->len, ARCH_DMA_MINALIGN);
k_tmp->len = u_tmp->len;
total += k_tmp->len;
spi: spidev: only use up TX/RX bounce buffer space when needed This patch changes the way space is reserved in spidev's pre-allocated TX and RX bounce buffers to avoid wasting space in the buffers for an SPI message consisting of multiple, half-duplex transfers in different directions. Background: spidev data structures have separate, pre-allocated TX and RX bounce buffers (`spidev->tx_buffer` and `spidev->rx_buffer`) of fixed size (`bufsiz`). The `SPI_IOC_MESSAGE(N)` ioctl processing uses a kernel copy of the N `struct spi_ioc_transfer` elements copied from the userspace ioctl arg pointer. In these elements: `.len` is the length of transfer in bytes; `.rx_buf` is either a userspace pointer to a buffer to copy the RX data to or is set to 0 to discard the data; and `.tx_buf` is either a userspace pointer to TX data supplied by the user or is set to 0 to transmit zeros for this transfer. `spidev_message()` uses the array of N `struct spi_ioc_transfer` elements to construct a kernel SPI message consisting of a `struct spi_message` containing a linked list (allocated as an array) of N `struct spi_transfer` elements. This involves iterating through the `struct spi_ioc_transfer` and `struct spi_transfer` elements (variables `u_tmp` and `k_tmp` respectively). Before the first iteration, variables `tx_buf` and `rx_buf` point to the start of the TX and RX bounce buffers `spidev->tx_buffer` and `spidev->rx_buffer` and variable `total` is set to 0. These variables keep track of the next available space in the bounce buffers and the total length of the SPI message. Each iteration checks that there is enough room left in the buffers for the transfer. If `u_tmp->rx_buf` is non-zero, `k_tmp->rx_buf` is set to `rx_buf`, otherwise it remains set to NULL. If `u_tmp->tx_buf` is non-zero, `k_tmp->tx_buf` is set to `tx_buf` and the userspace TX data copied there, otherwise it remains set to NULL. The variables `total`, `rx_buf` and `tx_buf` are advanced by the length of the transfer. The "problem": While iterating through the transfers, the local bounce buffer "free space" pointer variables `tx_buf` and `rx_buf` are always advanced by the length of the transfer. If `u_tmp->rx_buf` is 0 (so `k_tmp->rx_buf` is NULL), then `rx_buf` is advanced unnecessarily and that part of `spidev->rx_buffer` is wasted. Similarly, if `u_tmp->tx_buf` is 0 (so `k_tmp->tx_buf` is NULL), part of `spidev->tx_buffer` is wasted. What this patch does: To avoid wasting space unnecessarily in the RX bounce buffer, only advance `rx_buf` by the transfer length if `u_tmp->rx_buf` is non-zero. Similarly, to avoid wasting space unnecessarily in the TX bounce buffer, only advance `tx_buf` if `u_tmp->tx_buf is non-zero. To avoid pointer subtraction, use new variables `rx_total` and `tx_total` to keep track of the amount of space allocated in each of the bounce buffers. If these exceed the available space, a `-EMSGSIZE` error will be returned. Limit the total length of the transfers (tracked by variable `total`) to `INT_MAX` instead of `bufsiz`, returning an `-EMSGSIZE` error if exceeded. The total length is returned by `spidev_message()` on success and we want that to be non-negative. The message size limits for the `SPI_IOC_MESSAGE(N)` ioctl are now as follows: (a) total length of transfers is <= INTMAX; (b) total length of transfers with non-NULL rx_buf is <= bufsiz; (c) total length of transfers with non-NULL tx_buf is <= bufsiz. Some transfers may have NULL rx_buf and NULL tx_buf. If the transfer is completed successfully by the SPI core, `spidev_message()` iterates through the transfers to copy any RX data from the bounce buffer back to userspace on those transfers where `u_tmp->rx_buf` is non-zero. The variable `rx_buf` is again used to keep track of the corresponding positions in the bounce buffer. Now it is only advanced for those transfers that use the RX bounce buffer. Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Mark Brown <broonie@kernel.org>
2015-02-16 08:00:47 -07:00
/* Since the function returns the total length of transfers
* on success, restrict the total to positive int values to
* avoid the return value looking like an error. Also check
* each transfer length to avoid arithmetic overflow.
spi: spidev: only use up TX/RX bounce buffer space when needed This patch changes the way space is reserved in spidev's pre-allocated TX and RX bounce buffers to avoid wasting space in the buffers for an SPI message consisting of multiple, half-duplex transfers in different directions. Background: spidev data structures have separate, pre-allocated TX and RX bounce buffers (`spidev->tx_buffer` and `spidev->rx_buffer`) of fixed size (`bufsiz`). The `SPI_IOC_MESSAGE(N)` ioctl processing uses a kernel copy of the N `struct spi_ioc_transfer` elements copied from the userspace ioctl arg pointer. In these elements: `.len` is the length of transfer in bytes; `.rx_buf` is either a userspace pointer to a buffer to copy the RX data to or is set to 0 to discard the data; and `.tx_buf` is either a userspace pointer to TX data supplied by the user or is set to 0 to transmit zeros for this transfer. `spidev_message()` uses the array of N `struct spi_ioc_transfer` elements to construct a kernel SPI message consisting of a `struct spi_message` containing a linked list (allocated as an array) of N `struct spi_transfer` elements. This involves iterating through the `struct spi_ioc_transfer` and `struct spi_transfer` elements (variables `u_tmp` and `k_tmp` respectively). Before the first iteration, variables `tx_buf` and `rx_buf` point to the start of the TX and RX bounce buffers `spidev->tx_buffer` and `spidev->rx_buffer` and variable `total` is set to 0. These variables keep track of the next available space in the bounce buffers and the total length of the SPI message. Each iteration checks that there is enough room left in the buffers for the transfer. If `u_tmp->rx_buf` is non-zero, `k_tmp->rx_buf` is set to `rx_buf`, otherwise it remains set to NULL. If `u_tmp->tx_buf` is non-zero, `k_tmp->tx_buf` is set to `tx_buf` and the userspace TX data copied there, otherwise it remains set to NULL. The variables `total`, `rx_buf` and `tx_buf` are advanced by the length of the transfer. The "problem": While iterating through the transfers, the local bounce buffer "free space" pointer variables `tx_buf` and `rx_buf` are always advanced by the length of the transfer. If `u_tmp->rx_buf` is 0 (so `k_tmp->rx_buf` is NULL), then `rx_buf` is advanced unnecessarily and that part of `spidev->rx_buffer` is wasted. Similarly, if `u_tmp->tx_buf` is 0 (so `k_tmp->tx_buf` is NULL), part of `spidev->tx_buffer` is wasted. What this patch does: To avoid wasting space unnecessarily in the RX bounce buffer, only advance `rx_buf` by the transfer length if `u_tmp->rx_buf` is non-zero. Similarly, to avoid wasting space unnecessarily in the TX bounce buffer, only advance `tx_buf` if `u_tmp->tx_buf is non-zero. To avoid pointer subtraction, use new variables `rx_total` and `tx_total` to keep track of the amount of space allocated in each of the bounce buffers. If these exceed the available space, a `-EMSGSIZE` error will be returned. Limit the total length of the transfers (tracked by variable `total`) to `INT_MAX` instead of `bufsiz`, returning an `-EMSGSIZE` error if exceeded. The total length is returned by `spidev_message()` on success and we want that to be non-negative. The message size limits for the `SPI_IOC_MESSAGE(N)` ioctl are now as follows: (a) total length of transfers is <= INTMAX; (b) total length of transfers with non-NULL rx_buf is <= bufsiz; (c) total length of transfers with non-NULL tx_buf is <= bufsiz. Some transfers may have NULL rx_buf and NULL tx_buf. If the transfer is completed successfully by the SPI core, `spidev_message()` iterates through the transfers to copy any RX data from the bounce buffer back to userspace on those transfers where `u_tmp->rx_buf` is non-zero. The variable `rx_buf` is again used to keep track of the corresponding positions in the bounce buffer. Now it is only advanced for those transfers that use the RX bounce buffer. Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Mark Brown <broonie@kernel.org>
2015-02-16 08:00:47 -07:00
*/
if (total > INT_MAX || k_tmp->len > INT_MAX) {
status = -EMSGSIZE;
goto done;
}
if (u_tmp->rx_buf) {
spi: spidev: only use up TX/RX bounce buffer space when needed This patch changes the way space is reserved in spidev's pre-allocated TX and RX bounce buffers to avoid wasting space in the buffers for an SPI message consisting of multiple, half-duplex transfers in different directions. Background: spidev data structures have separate, pre-allocated TX and RX bounce buffers (`spidev->tx_buffer` and `spidev->rx_buffer`) of fixed size (`bufsiz`). The `SPI_IOC_MESSAGE(N)` ioctl processing uses a kernel copy of the N `struct spi_ioc_transfer` elements copied from the userspace ioctl arg pointer. In these elements: `.len` is the length of transfer in bytes; `.rx_buf` is either a userspace pointer to a buffer to copy the RX data to or is set to 0 to discard the data; and `.tx_buf` is either a userspace pointer to TX data supplied by the user or is set to 0 to transmit zeros for this transfer. `spidev_message()` uses the array of N `struct spi_ioc_transfer` elements to construct a kernel SPI message consisting of a `struct spi_message` containing a linked list (allocated as an array) of N `struct spi_transfer` elements. This involves iterating through the `struct spi_ioc_transfer` and `struct spi_transfer` elements (variables `u_tmp` and `k_tmp` respectively). Before the first iteration, variables `tx_buf` and `rx_buf` point to the start of the TX and RX bounce buffers `spidev->tx_buffer` and `spidev->rx_buffer` and variable `total` is set to 0. These variables keep track of the next available space in the bounce buffers and the total length of the SPI message. Each iteration checks that there is enough room left in the buffers for the transfer. If `u_tmp->rx_buf` is non-zero, `k_tmp->rx_buf` is set to `rx_buf`, otherwise it remains set to NULL. If `u_tmp->tx_buf` is non-zero, `k_tmp->tx_buf` is set to `tx_buf` and the userspace TX data copied there, otherwise it remains set to NULL. The variables `total`, `rx_buf` and `tx_buf` are advanced by the length of the transfer. The "problem": While iterating through the transfers, the local bounce buffer "free space" pointer variables `tx_buf` and `rx_buf` are always advanced by the length of the transfer. If `u_tmp->rx_buf` is 0 (so `k_tmp->rx_buf` is NULL), then `rx_buf` is advanced unnecessarily and that part of `spidev->rx_buffer` is wasted. Similarly, if `u_tmp->tx_buf` is 0 (so `k_tmp->tx_buf` is NULL), part of `spidev->tx_buffer` is wasted. What this patch does: To avoid wasting space unnecessarily in the RX bounce buffer, only advance `rx_buf` by the transfer length if `u_tmp->rx_buf` is non-zero. Similarly, to avoid wasting space unnecessarily in the TX bounce buffer, only advance `tx_buf` if `u_tmp->tx_buf is non-zero. To avoid pointer subtraction, use new variables `rx_total` and `tx_total` to keep track of the amount of space allocated in each of the bounce buffers. If these exceed the available space, a `-EMSGSIZE` error will be returned. Limit the total length of the transfers (tracked by variable `total`) to `INT_MAX` instead of `bufsiz`, returning an `-EMSGSIZE` error if exceeded. The total length is returned by `spidev_message()` on success and we want that to be non-negative. The message size limits for the `SPI_IOC_MESSAGE(N)` ioctl are now as follows: (a) total length of transfers is <= INTMAX; (b) total length of transfers with non-NULL rx_buf is <= bufsiz; (c) total length of transfers with non-NULL tx_buf is <= bufsiz. Some transfers may have NULL rx_buf and NULL tx_buf. If the transfer is completed successfully by the SPI core, `spidev_message()` iterates through the transfers to copy any RX data from the bounce buffer back to userspace on those transfers where `u_tmp->rx_buf` is non-zero. The variable `rx_buf` is again used to keep track of the corresponding positions in the bounce buffer. Now it is only advanced for those transfers that use the RX bounce buffer. Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Mark Brown <broonie@kernel.org>
2015-02-16 08:00:47 -07:00
/* this transfer needs space in RX bounce buffer */
rx_total += len_aligned;
spi: spidev: only use up TX/RX bounce buffer space when needed This patch changes the way space is reserved in spidev's pre-allocated TX and RX bounce buffers to avoid wasting space in the buffers for an SPI message consisting of multiple, half-duplex transfers in different directions. Background: spidev data structures have separate, pre-allocated TX and RX bounce buffers (`spidev->tx_buffer` and `spidev->rx_buffer`) of fixed size (`bufsiz`). The `SPI_IOC_MESSAGE(N)` ioctl processing uses a kernel copy of the N `struct spi_ioc_transfer` elements copied from the userspace ioctl arg pointer. In these elements: `.len` is the length of transfer in bytes; `.rx_buf` is either a userspace pointer to a buffer to copy the RX data to or is set to 0 to discard the data; and `.tx_buf` is either a userspace pointer to TX data supplied by the user or is set to 0 to transmit zeros for this transfer. `spidev_message()` uses the array of N `struct spi_ioc_transfer` elements to construct a kernel SPI message consisting of a `struct spi_message` containing a linked list (allocated as an array) of N `struct spi_transfer` elements. This involves iterating through the `struct spi_ioc_transfer` and `struct spi_transfer` elements (variables `u_tmp` and `k_tmp` respectively). Before the first iteration, variables `tx_buf` and `rx_buf` point to the start of the TX and RX bounce buffers `spidev->tx_buffer` and `spidev->rx_buffer` and variable `total` is set to 0. These variables keep track of the next available space in the bounce buffers and the total length of the SPI message. Each iteration checks that there is enough room left in the buffers for the transfer. If `u_tmp->rx_buf` is non-zero, `k_tmp->rx_buf` is set to `rx_buf`, otherwise it remains set to NULL. If `u_tmp->tx_buf` is non-zero, `k_tmp->tx_buf` is set to `tx_buf` and the userspace TX data copied there, otherwise it remains set to NULL. The variables `total`, `rx_buf` and `tx_buf` are advanced by the length of the transfer. The "problem": While iterating through the transfers, the local bounce buffer "free space" pointer variables `tx_buf` and `rx_buf` are always advanced by the length of the transfer. If `u_tmp->rx_buf` is 0 (so `k_tmp->rx_buf` is NULL), then `rx_buf` is advanced unnecessarily and that part of `spidev->rx_buffer` is wasted. Similarly, if `u_tmp->tx_buf` is 0 (so `k_tmp->tx_buf` is NULL), part of `spidev->tx_buffer` is wasted. What this patch does: To avoid wasting space unnecessarily in the RX bounce buffer, only advance `rx_buf` by the transfer length if `u_tmp->rx_buf` is non-zero. Similarly, to avoid wasting space unnecessarily in the TX bounce buffer, only advance `tx_buf` if `u_tmp->tx_buf is non-zero. To avoid pointer subtraction, use new variables `rx_total` and `tx_total` to keep track of the amount of space allocated in each of the bounce buffers. If these exceed the available space, a `-EMSGSIZE` error will be returned. Limit the total length of the transfers (tracked by variable `total`) to `INT_MAX` instead of `bufsiz`, returning an `-EMSGSIZE` error if exceeded. The total length is returned by `spidev_message()` on success and we want that to be non-negative. The message size limits for the `SPI_IOC_MESSAGE(N)` ioctl are now as follows: (a) total length of transfers is <= INTMAX; (b) total length of transfers with non-NULL rx_buf is <= bufsiz; (c) total length of transfers with non-NULL tx_buf is <= bufsiz. Some transfers may have NULL rx_buf and NULL tx_buf. If the transfer is completed successfully by the SPI core, `spidev_message()` iterates through the transfers to copy any RX data from the bounce buffer back to userspace on those transfers where `u_tmp->rx_buf` is non-zero. The variable `rx_buf` is again used to keep track of the corresponding positions in the bounce buffer. Now it is only advanced for those transfers that use the RX bounce buffer. Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Mark Brown <broonie@kernel.org>
2015-02-16 08:00:47 -07:00
if (rx_total > bufsiz) {
status = -EMSGSIZE;
goto done;
}
k_tmp->rx_buf = rx_buf;
rx_buf += len_aligned;
}
if (u_tmp->tx_buf) {
spi: spidev: only use up TX/RX bounce buffer space when needed This patch changes the way space is reserved in spidev's pre-allocated TX and RX bounce buffers to avoid wasting space in the buffers for an SPI message consisting of multiple, half-duplex transfers in different directions. Background: spidev data structures have separate, pre-allocated TX and RX bounce buffers (`spidev->tx_buffer` and `spidev->rx_buffer`) of fixed size (`bufsiz`). The `SPI_IOC_MESSAGE(N)` ioctl processing uses a kernel copy of the N `struct spi_ioc_transfer` elements copied from the userspace ioctl arg pointer. In these elements: `.len` is the length of transfer in bytes; `.rx_buf` is either a userspace pointer to a buffer to copy the RX data to or is set to 0 to discard the data; and `.tx_buf` is either a userspace pointer to TX data supplied by the user or is set to 0 to transmit zeros for this transfer. `spidev_message()` uses the array of N `struct spi_ioc_transfer` elements to construct a kernel SPI message consisting of a `struct spi_message` containing a linked list (allocated as an array) of N `struct spi_transfer` elements. This involves iterating through the `struct spi_ioc_transfer` and `struct spi_transfer` elements (variables `u_tmp` and `k_tmp` respectively). Before the first iteration, variables `tx_buf` and `rx_buf` point to the start of the TX and RX bounce buffers `spidev->tx_buffer` and `spidev->rx_buffer` and variable `total` is set to 0. These variables keep track of the next available space in the bounce buffers and the total length of the SPI message. Each iteration checks that there is enough room left in the buffers for the transfer. If `u_tmp->rx_buf` is non-zero, `k_tmp->rx_buf` is set to `rx_buf`, otherwise it remains set to NULL. If `u_tmp->tx_buf` is non-zero, `k_tmp->tx_buf` is set to `tx_buf` and the userspace TX data copied there, otherwise it remains set to NULL. The variables `total`, `rx_buf` and `tx_buf` are advanced by the length of the transfer. The "problem": While iterating through the transfers, the local bounce buffer "free space" pointer variables `tx_buf` and `rx_buf` are always advanced by the length of the transfer. If `u_tmp->rx_buf` is 0 (so `k_tmp->rx_buf` is NULL), then `rx_buf` is advanced unnecessarily and that part of `spidev->rx_buffer` is wasted. Similarly, if `u_tmp->tx_buf` is 0 (so `k_tmp->tx_buf` is NULL), part of `spidev->tx_buffer` is wasted. What this patch does: To avoid wasting space unnecessarily in the RX bounce buffer, only advance `rx_buf` by the transfer length if `u_tmp->rx_buf` is non-zero. Similarly, to avoid wasting space unnecessarily in the TX bounce buffer, only advance `tx_buf` if `u_tmp->tx_buf is non-zero. To avoid pointer subtraction, use new variables `rx_total` and `tx_total` to keep track of the amount of space allocated in each of the bounce buffers. If these exceed the available space, a `-EMSGSIZE` error will be returned. Limit the total length of the transfers (tracked by variable `total`) to `INT_MAX` instead of `bufsiz`, returning an `-EMSGSIZE` error if exceeded. The total length is returned by `spidev_message()` on success and we want that to be non-negative. The message size limits for the `SPI_IOC_MESSAGE(N)` ioctl are now as follows: (a) total length of transfers is <= INTMAX; (b) total length of transfers with non-NULL rx_buf is <= bufsiz; (c) total length of transfers with non-NULL tx_buf is <= bufsiz. Some transfers may have NULL rx_buf and NULL tx_buf. If the transfer is completed successfully by the SPI core, `spidev_message()` iterates through the transfers to copy any RX data from the bounce buffer back to userspace on those transfers where `u_tmp->rx_buf` is non-zero. The variable `rx_buf` is again used to keep track of the corresponding positions in the bounce buffer. Now it is only advanced for those transfers that use the RX bounce buffer. Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Mark Brown <broonie@kernel.org>
2015-02-16 08:00:47 -07:00
/* this transfer needs space in TX bounce buffer */
tx_total += len_aligned;
spi: spidev: only use up TX/RX bounce buffer space when needed This patch changes the way space is reserved in spidev's pre-allocated TX and RX bounce buffers to avoid wasting space in the buffers for an SPI message consisting of multiple, half-duplex transfers in different directions. Background: spidev data structures have separate, pre-allocated TX and RX bounce buffers (`spidev->tx_buffer` and `spidev->rx_buffer`) of fixed size (`bufsiz`). The `SPI_IOC_MESSAGE(N)` ioctl processing uses a kernel copy of the N `struct spi_ioc_transfer` elements copied from the userspace ioctl arg pointer. In these elements: `.len` is the length of transfer in bytes; `.rx_buf` is either a userspace pointer to a buffer to copy the RX data to or is set to 0 to discard the data; and `.tx_buf` is either a userspace pointer to TX data supplied by the user or is set to 0 to transmit zeros for this transfer. `spidev_message()` uses the array of N `struct spi_ioc_transfer` elements to construct a kernel SPI message consisting of a `struct spi_message` containing a linked list (allocated as an array) of N `struct spi_transfer` elements. This involves iterating through the `struct spi_ioc_transfer` and `struct spi_transfer` elements (variables `u_tmp` and `k_tmp` respectively). Before the first iteration, variables `tx_buf` and `rx_buf` point to the start of the TX and RX bounce buffers `spidev->tx_buffer` and `spidev->rx_buffer` and variable `total` is set to 0. These variables keep track of the next available space in the bounce buffers and the total length of the SPI message. Each iteration checks that there is enough room left in the buffers for the transfer. If `u_tmp->rx_buf` is non-zero, `k_tmp->rx_buf` is set to `rx_buf`, otherwise it remains set to NULL. If `u_tmp->tx_buf` is non-zero, `k_tmp->tx_buf` is set to `tx_buf` and the userspace TX data copied there, otherwise it remains set to NULL. The variables `total`, `rx_buf` and `tx_buf` are advanced by the length of the transfer. The "problem": While iterating through the transfers, the local bounce buffer "free space" pointer variables `tx_buf` and `rx_buf` are always advanced by the length of the transfer. If `u_tmp->rx_buf` is 0 (so `k_tmp->rx_buf` is NULL), then `rx_buf` is advanced unnecessarily and that part of `spidev->rx_buffer` is wasted. Similarly, if `u_tmp->tx_buf` is 0 (so `k_tmp->tx_buf` is NULL), part of `spidev->tx_buffer` is wasted. What this patch does: To avoid wasting space unnecessarily in the RX bounce buffer, only advance `rx_buf` by the transfer length if `u_tmp->rx_buf` is non-zero. Similarly, to avoid wasting space unnecessarily in the TX bounce buffer, only advance `tx_buf` if `u_tmp->tx_buf is non-zero. To avoid pointer subtraction, use new variables `rx_total` and `tx_total` to keep track of the amount of space allocated in each of the bounce buffers. If these exceed the available space, a `-EMSGSIZE` error will be returned. Limit the total length of the transfers (tracked by variable `total`) to `INT_MAX` instead of `bufsiz`, returning an `-EMSGSIZE` error if exceeded. The total length is returned by `spidev_message()` on success and we want that to be non-negative. The message size limits for the `SPI_IOC_MESSAGE(N)` ioctl are now as follows: (a) total length of transfers is <= INTMAX; (b) total length of transfers with non-NULL rx_buf is <= bufsiz; (c) total length of transfers with non-NULL tx_buf is <= bufsiz. Some transfers may have NULL rx_buf and NULL tx_buf. If the transfer is completed successfully by the SPI core, `spidev_message()` iterates through the transfers to copy any RX data from the bounce buffer back to userspace on those transfers where `u_tmp->rx_buf` is non-zero. The variable `rx_buf` is again used to keep track of the corresponding positions in the bounce buffer. Now it is only advanced for those transfers that use the RX bounce buffer. Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Mark Brown <broonie@kernel.org>
2015-02-16 08:00:47 -07:00
if (tx_total > bufsiz) {
status = -EMSGSIZE;
goto done;
}
k_tmp->tx_buf = tx_buf;
if (copy_from_user(tx_buf, (const u8 __user *)
(uintptr_t) u_tmp->tx_buf,
u_tmp->len))
goto done;
tx_buf += len_aligned;
}
k_tmp->cs_change = !!u_tmp->cs_change;
k_tmp->tx_nbits = u_tmp->tx_nbits;
k_tmp->rx_nbits = u_tmp->rx_nbits;
k_tmp->bits_per_word = u_tmp->bits_per_word;
k_tmp->delay.value = u_tmp->delay_usecs;
k_tmp->delay.unit = SPI_DELAY_UNIT_USECS;
k_tmp->speed_hz = u_tmp->speed_hz;
k_tmp->word_delay.value = u_tmp->word_delay_usecs;
k_tmp->word_delay.unit = SPI_DELAY_UNIT_USECS;
if (!k_tmp->speed_hz)
k_tmp->speed_hz = spidev->speed_hz;
#ifdef VERBOSE
dev_dbg(&spidev->spi->dev,
" xfer len %u %s%s%s%dbits %u usec %u usec %uHz\n",
k_tmp->len,
k_tmp->rx_buf ? "rx " : "",
k_tmp->tx_buf ? "tx " : "",
k_tmp->cs_change ? "cs " : "",
k_tmp->bits_per_word ? : spidev->spi->bits_per_word,
k_tmp->delay.value,
k_tmp->word_delay.value,
k_tmp->speed_hz ? : spidev->spi->max_speed_hz);
#endif
spi_message_add_tail(k_tmp, &msg);
}
spi: spidev: fix a recursive locking error When calling spidev_message() from the one of the ioctl() callbacks, the spi_lock is already taken. When we then end up calling spidev_sync(), we get the following splat: [ 214.047619] [ 214.049198] ============================================ [ 214.054533] WARNING: possible recursive locking detected [ 214.059858] 6.2.0-rc3-0.0.0-devel+git.97ec4d559d93 #1 Not tainted [ 214.065969] -------------------------------------------- [ 214.071290] spidev_test/1454 is trying to acquire lock: [ 214.076530] c4925dbc (&spidev->spi_lock){+.+.}-{3:3}, at: spidev_ioctl+0x8e0/0xab8 [ 214.084164] [ 214.084164] but task is already holding lock: [ 214.090007] c4925dbc (&spidev->spi_lock){+.+.}-{3:3}, at: spidev_ioctl+0x44/0xab8 [ 214.097537] [ 214.097537] other info that might help us debug this: [ 214.104075] Possible unsafe locking scenario: [ 214.104075] [ 214.110004] CPU0 [ 214.112461] ---- [ 214.114916] lock(&spidev->spi_lock); [ 214.118687] lock(&spidev->spi_lock); [ 214.122457] [ 214.122457] *** DEADLOCK *** [ 214.122457] [ 214.128386] May be due to missing lock nesting notation [ 214.128386] [ 214.135183] 2 locks held by spidev_test/1454: [ 214.139553] #0: c4925dbc (&spidev->spi_lock){+.+.}-{3:3}, at: spidev_ioctl+0x44/0xab8 [ 214.147524] #1: c4925e14 (&spidev->buf_lock){+.+.}-{3:3}, at: spidev_ioctl+0x70/0xab8 [ 214.155493] [ 214.155493] stack backtrace: [ 214.159861] CPU: 0 PID: 1454 Comm: spidev_test Not tainted 6.2.0-rc3-0.0.0-devel+git.97ec4d559d93 #1 [ 214.169012] Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree) [ 214.175555] unwind_backtrace from show_stack+0x10/0x14 [ 214.180819] show_stack from dump_stack_lvl+0x60/0x90 [ 214.185900] dump_stack_lvl from __lock_acquire+0x874/0x2858 [ 214.191584] __lock_acquire from lock_acquire+0xfc/0x378 [ 214.196918] lock_acquire from __mutex_lock+0x9c/0x8a8 [ 214.202083] __mutex_lock from mutex_lock_nested+0x1c/0x24 [ 214.207597] mutex_lock_nested from spidev_ioctl+0x8e0/0xab8 [ 214.213284] spidev_ioctl from sys_ioctl+0x4d0/0xe2c [ 214.218277] sys_ioctl from ret_fast_syscall+0x0/0x1c [ 214.223351] Exception stack(0xe75cdfa8 to 0xe75cdff0) [ 214.228422] dfa0: 00000000 00001000 00000003 40206b00 bee266e8 bee266e0 [ 214.236617] dfc0: 00000000 00001000 006a71a0 00000036 004c0040 004bfd18 00000000 00000003 [ 214.244809] dfe0: 00000036 bee266c8 b6f16dc5 b6e8e5f6 Fix it by introducing an unlocked variant of spidev_sync() and calling it from spidev_message() while other users who don't check the spidev->spi's existence keep on using the locking flavor. Reported-by: Francesco Dolcini <francesco@dolcini.it> Fixes: 1f4d2dd45b6e ("spi: spidev: fix a race condition when accessing spidev->spi") Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org> Tested-by: Max Krummenacher <max.krummenacher@toradex.com> Link: https://lore.kernel.org/r/20230116144149.305560-1-brgl@bgdev.pl Signed-off-by: Mark Brown <broonie@kernel.org>
2023-01-16 07:41:49 -07:00
status = spidev_sync_unlocked(spidev->spi, &msg);
if (status < 0)
goto done;
/* copy any rx data out of bounce buffer */
for (n = n_xfers, k_tmp = k_xfers, u_tmp = u_xfers;
n;
n--, k_tmp++, u_tmp++) {
if (u_tmp->rx_buf) {
if (copy_to_user((u8 __user *)
(uintptr_t) u_tmp->rx_buf, k_tmp->rx_buf,
u_tmp->len)) {
status = -EFAULT;
goto done;
}
}
}
status = total;
done:
kfree(k_xfers);
return status;
}
spi: spidev: Convert buf pointers for 32-bit compat SPI_IOC_MESSAGE(n) The SPI_IOC_MESSAGE(n) ioctl commands' argument points to an array of n struct spi_ioc_transfer elements. The spidev's compat_ioctl handler just converts this pointer and passes it on to the unlocked_ioctl handler to process it. The tx_buf and rx_buf members of struct spi_ioc_transfer are of type __u64 and hold pointer values. A 32-bit userspace application running in a 64-bit kernel might not have widened the 32-bit pointers correctly for the kernel. The application might have sign-extended the pointer to when the kernel expects it to be zero-extended, or vice versa, leading to an -EFAULT being returned by spidev_message() if the widened pointer is invalid. Handle the SPI_IOC_MESSAGE(n) ioctl commands specially in the compat_ioctl handler, calling new function spidev_compat_ioctl_message() to handle them. This processes them in the same way as the unlocked_ioctl handler except that it uses compat_ptr() to convert the tx_buf and rx_buf members of each struct spi_ioc_transfer element. To save code, factor out part of the unlocked_ioctl handler into a new function spidev_get_ioc_message(). This checks the ioctl command code is a valid SPI_IOC_MESSAGE(n), determines n and copies the array of n struct spi_ioc_transfer elements from userspace into dynamically allocated memory, returning either a pointer to the memory, an ERR_PTR(-err) value, or NULL (for SPI_IOC_MESSAGE(0)). Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Mark Brown <broonie@kernel.org>
2015-01-30 11:43:33 -07:00
static struct spi_ioc_transfer *
spidev_get_ioc_message(unsigned int cmd, struct spi_ioc_transfer __user *u_ioc,
unsigned *n_ioc)
{
u32 tmp;
/* Check type, command number and direction */
if (_IOC_TYPE(cmd) != SPI_IOC_MAGIC
|| _IOC_NR(cmd) != _IOC_NR(SPI_IOC_MESSAGE(0))
|| _IOC_DIR(cmd) != _IOC_WRITE)
return ERR_PTR(-ENOTTY);
tmp = _IOC_SIZE(cmd);
if ((tmp % sizeof(struct spi_ioc_transfer)) != 0)
return ERR_PTR(-EINVAL);
*n_ioc = tmp / sizeof(struct spi_ioc_transfer);
if (*n_ioc == 0)
return NULL;
/* copy into scratch area */
return memdup_user(u_ioc, tmp);
spi: spidev: Convert buf pointers for 32-bit compat SPI_IOC_MESSAGE(n) The SPI_IOC_MESSAGE(n) ioctl commands' argument points to an array of n struct spi_ioc_transfer elements. The spidev's compat_ioctl handler just converts this pointer and passes it on to the unlocked_ioctl handler to process it. The tx_buf and rx_buf members of struct spi_ioc_transfer are of type __u64 and hold pointer values. A 32-bit userspace application running in a 64-bit kernel might not have widened the 32-bit pointers correctly for the kernel. The application might have sign-extended the pointer to when the kernel expects it to be zero-extended, or vice versa, leading to an -EFAULT being returned by spidev_message() if the widened pointer is invalid. Handle the SPI_IOC_MESSAGE(n) ioctl commands specially in the compat_ioctl handler, calling new function spidev_compat_ioctl_message() to handle them. This processes them in the same way as the unlocked_ioctl handler except that it uses compat_ptr() to convert the tx_buf and rx_buf members of each struct spi_ioc_transfer element. To save code, factor out part of the unlocked_ioctl handler into a new function spidev_get_ioc_message(). This checks the ioctl command code is a valid SPI_IOC_MESSAGE(n), determines n and copies the array of n struct spi_ioc_transfer elements from userspace into dynamically allocated memory, returning either a pointer to the memory, an ERR_PTR(-err) value, or NULL (for SPI_IOC_MESSAGE(0)). Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Mark Brown <broonie@kernel.org>
2015-01-30 11:43:33 -07:00
}
static long
spidev_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
{
int retval = 0;
struct spidev_data *spidev;
struct spi_device *spi;
struct spi_controller *ctlr;
u32 tmp;
unsigned n_ioc;
struct spi_ioc_transfer *ioc;
/* Check type and command number */
if (_IOC_TYPE(cmd) != SPI_IOC_MAGIC)
return -ENOTTY;
/* guard against device removal before, or while,
* we issue this ioctl.
*/
spidev = filp->private_data;
mutex_lock(&spidev->spi_lock);
spi = spi_dev_get(spidev->spi);
if (spi == NULL) {
mutex_unlock(&spidev->spi_lock);
return -ESHUTDOWN;
}
ctlr = spi->controller;
/* use the buffer lock here for triple duty:
* - prevent I/O (from us) so calling spi_setup() is safe;
* - prevent concurrent SPI_IOC_WR_* from morphing
* data fields while SPI_IOC_RD_* reads them;
* - SPI_IOC_MESSAGE needs the buffer locked "normally".
*/
mutex_lock(&spidev->buf_lock);
switch (cmd) {
/* read requests */
case SPI_IOC_RD_MODE:
case SPI_IOC_RD_MODE32:
tmp = spi->mode & SPI_MODE_MASK;
if (ctlr->use_gpio_descriptors && spi_get_csgpiod(spi, 0))
tmp &= ~SPI_CS_HIGH;
if (cmd == SPI_IOC_RD_MODE)
retval = put_user(tmp, (__u8 __user *)arg);
else
retval = put_user(tmp, (__u32 __user *)arg);
break;
case SPI_IOC_RD_LSB_FIRST:
retval = put_user((spi->mode & SPI_LSB_FIRST) ? 1 : 0,
(__u8 __user *)arg);
break;
case SPI_IOC_RD_BITS_PER_WORD:
retval = put_user(spi->bits_per_word, (__u8 __user *)arg);
break;
case SPI_IOC_RD_MAX_SPEED_HZ:
retval = put_user(spidev->speed_hz, (__u32 __user *)arg);
break;
/* write requests */
case SPI_IOC_WR_MODE:
case SPI_IOC_WR_MODE32:
if (cmd == SPI_IOC_WR_MODE)
retval = get_user(tmp, (u8 __user *)arg);
else
retval = get_user(tmp, (u32 __user *)arg);
if (retval == 0) {
u32 save = spi->mode;
if (tmp & ~SPI_MODE_MASK) {
retval = -EINVAL;
break;
}
if (ctlr->use_gpio_descriptors && spi_get_csgpiod(spi, 0))
tmp |= SPI_CS_HIGH;
tmp |= spi->mode & ~SPI_MODE_MASK;
spi->mode = tmp & SPI_MODE_USER_MASK;
retval = spi_setup(spi);
if (retval < 0)
spi->mode = save;
else
dev_dbg(&spi->dev, "spi mode %x\n", tmp);
}
break;
case SPI_IOC_WR_LSB_FIRST:
retval = get_user(tmp, (__u8 __user *)arg);
if (retval == 0) {
u32 save = spi->mode;
if (tmp)
spi->mode |= SPI_LSB_FIRST;
else
spi->mode &= ~SPI_LSB_FIRST;
retval = spi_setup(spi);
if (retval < 0)
spi->mode = save;
else
dev_dbg(&spi->dev, "%csb first\n",
tmp ? 'l' : 'm');
}
break;
case SPI_IOC_WR_BITS_PER_WORD:
retval = get_user(tmp, (__u8 __user *)arg);
if (retval == 0) {
u8 save = spi->bits_per_word;
spi->bits_per_word = tmp;
retval = spi_setup(spi);
if (retval < 0)
spi->bits_per_word = save;
else
dev_dbg(&spi->dev, "%d bits per word\n", tmp);
}
break;
case SPI_IOC_WR_MAX_SPEED_HZ: {
u32 save;
retval = get_user(tmp, (__u32 __user *)arg);
if (retval)
break;
if (tmp == 0) {
retval = -EINVAL;
break;
}
save = spi->max_speed_hz;
spi->max_speed_hz = tmp;
retval = spi_setup(spi);
if (retval == 0) {
spidev->speed_hz = tmp;
dev_dbg(&spi->dev, "%d Hz (max)\n", spidev->speed_hz);
}
spi->max_speed_hz = save;
break;
}
default:
/* segmented and/or full-duplex I/O request */
spi: spidev: Convert buf pointers for 32-bit compat SPI_IOC_MESSAGE(n) The SPI_IOC_MESSAGE(n) ioctl commands' argument points to an array of n struct spi_ioc_transfer elements. The spidev's compat_ioctl handler just converts this pointer and passes it on to the unlocked_ioctl handler to process it. The tx_buf and rx_buf members of struct spi_ioc_transfer are of type __u64 and hold pointer values. A 32-bit userspace application running in a 64-bit kernel might not have widened the 32-bit pointers correctly for the kernel. The application might have sign-extended the pointer to when the kernel expects it to be zero-extended, or vice versa, leading to an -EFAULT being returned by spidev_message() if the widened pointer is invalid. Handle the SPI_IOC_MESSAGE(n) ioctl commands specially in the compat_ioctl handler, calling new function spidev_compat_ioctl_message() to handle them. This processes them in the same way as the unlocked_ioctl handler except that it uses compat_ptr() to convert the tx_buf and rx_buf members of each struct spi_ioc_transfer element. To save code, factor out part of the unlocked_ioctl handler into a new function spidev_get_ioc_message(). This checks the ioctl command code is a valid SPI_IOC_MESSAGE(n), determines n and copies the array of n struct spi_ioc_transfer elements from userspace into dynamically allocated memory, returning either a pointer to the memory, an ERR_PTR(-err) value, or NULL (for SPI_IOC_MESSAGE(0)). Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Mark Brown <broonie@kernel.org>
2015-01-30 11:43:33 -07:00
/* Check message and copy into scratch area */
ioc = spidev_get_ioc_message(cmd,
(struct spi_ioc_transfer __user *)arg, &n_ioc);
if (IS_ERR(ioc)) {
retval = PTR_ERR(ioc);
break;
}
spi: spidev: Convert buf pointers for 32-bit compat SPI_IOC_MESSAGE(n) The SPI_IOC_MESSAGE(n) ioctl commands' argument points to an array of n struct spi_ioc_transfer elements. The spidev's compat_ioctl handler just converts this pointer and passes it on to the unlocked_ioctl handler to process it. The tx_buf and rx_buf members of struct spi_ioc_transfer are of type __u64 and hold pointer values. A 32-bit userspace application running in a 64-bit kernel might not have widened the 32-bit pointers correctly for the kernel. The application might have sign-extended the pointer to when the kernel expects it to be zero-extended, or vice versa, leading to an -EFAULT being returned by spidev_message() if the widened pointer is invalid. Handle the SPI_IOC_MESSAGE(n) ioctl commands specially in the compat_ioctl handler, calling new function spidev_compat_ioctl_message() to handle them. This processes them in the same way as the unlocked_ioctl handler except that it uses compat_ptr() to convert the tx_buf and rx_buf members of each struct spi_ioc_transfer element. To save code, factor out part of the unlocked_ioctl handler into a new function spidev_get_ioc_message(). This checks the ioctl command code is a valid SPI_IOC_MESSAGE(n), determines n and copies the array of n struct spi_ioc_transfer elements from userspace into dynamically allocated memory, returning either a pointer to the memory, an ERR_PTR(-err) value, or NULL (for SPI_IOC_MESSAGE(0)). Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Mark Brown <broonie@kernel.org>
2015-01-30 11:43:33 -07:00
if (!ioc)
break; /* n_ioc is also 0 */
/* translate to spi_message, execute */
retval = spidev_message(spidev, ioc, n_ioc);
kfree(ioc);
break;
}
mutex_unlock(&spidev->buf_lock);
spi_dev_put(spi);
mutex_unlock(&spidev->spi_lock);
return retval;
}
#ifdef CONFIG_COMPAT
spi: spidev: Convert buf pointers for 32-bit compat SPI_IOC_MESSAGE(n) The SPI_IOC_MESSAGE(n) ioctl commands' argument points to an array of n struct spi_ioc_transfer elements. The spidev's compat_ioctl handler just converts this pointer and passes it on to the unlocked_ioctl handler to process it. The tx_buf and rx_buf members of struct spi_ioc_transfer are of type __u64 and hold pointer values. A 32-bit userspace application running in a 64-bit kernel might not have widened the 32-bit pointers correctly for the kernel. The application might have sign-extended the pointer to when the kernel expects it to be zero-extended, or vice versa, leading to an -EFAULT being returned by spidev_message() if the widened pointer is invalid. Handle the SPI_IOC_MESSAGE(n) ioctl commands specially in the compat_ioctl handler, calling new function spidev_compat_ioctl_message() to handle them. This processes them in the same way as the unlocked_ioctl handler except that it uses compat_ptr() to convert the tx_buf and rx_buf members of each struct spi_ioc_transfer element. To save code, factor out part of the unlocked_ioctl handler into a new function spidev_get_ioc_message(). This checks the ioctl command code is a valid SPI_IOC_MESSAGE(n), determines n and copies the array of n struct spi_ioc_transfer elements from userspace into dynamically allocated memory, returning either a pointer to the memory, an ERR_PTR(-err) value, or NULL (for SPI_IOC_MESSAGE(0)). Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Mark Brown <broonie@kernel.org>
2015-01-30 11:43:33 -07:00
static long
spidev_compat_ioc_message(struct file *filp, unsigned int cmd,
unsigned long arg)
{
struct spi_ioc_transfer __user *u_ioc;
int retval = 0;
struct spidev_data *spidev;
struct spi_device *spi;
unsigned n_ioc, n;
struct spi_ioc_transfer *ioc;
u_ioc = (struct spi_ioc_transfer __user *) compat_ptr(arg);
/* guard against device removal before, or while,
* we issue this ioctl.
*/
spidev = filp->private_data;
mutex_lock(&spidev->spi_lock);
spi: spidev: Convert buf pointers for 32-bit compat SPI_IOC_MESSAGE(n) The SPI_IOC_MESSAGE(n) ioctl commands' argument points to an array of n struct spi_ioc_transfer elements. The spidev's compat_ioctl handler just converts this pointer and passes it on to the unlocked_ioctl handler to process it. The tx_buf and rx_buf members of struct spi_ioc_transfer are of type __u64 and hold pointer values. A 32-bit userspace application running in a 64-bit kernel might not have widened the 32-bit pointers correctly for the kernel. The application might have sign-extended the pointer to when the kernel expects it to be zero-extended, or vice versa, leading to an -EFAULT being returned by spidev_message() if the widened pointer is invalid. Handle the SPI_IOC_MESSAGE(n) ioctl commands specially in the compat_ioctl handler, calling new function spidev_compat_ioctl_message() to handle them. This processes them in the same way as the unlocked_ioctl handler except that it uses compat_ptr() to convert the tx_buf and rx_buf members of each struct spi_ioc_transfer element. To save code, factor out part of the unlocked_ioctl handler into a new function spidev_get_ioc_message(). This checks the ioctl command code is a valid SPI_IOC_MESSAGE(n), determines n and copies the array of n struct spi_ioc_transfer elements from userspace into dynamically allocated memory, returning either a pointer to the memory, an ERR_PTR(-err) value, or NULL (for SPI_IOC_MESSAGE(0)). Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Mark Brown <broonie@kernel.org>
2015-01-30 11:43:33 -07:00
spi = spi_dev_get(spidev->spi);
if (spi == NULL) {
mutex_unlock(&spidev->spi_lock);
spi: spidev: Convert buf pointers for 32-bit compat SPI_IOC_MESSAGE(n) The SPI_IOC_MESSAGE(n) ioctl commands' argument points to an array of n struct spi_ioc_transfer elements. The spidev's compat_ioctl handler just converts this pointer and passes it on to the unlocked_ioctl handler to process it. The tx_buf and rx_buf members of struct spi_ioc_transfer are of type __u64 and hold pointer values. A 32-bit userspace application running in a 64-bit kernel might not have widened the 32-bit pointers correctly for the kernel. The application might have sign-extended the pointer to when the kernel expects it to be zero-extended, or vice versa, leading to an -EFAULT being returned by spidev_message() if the widened pointer is invalid. Handle the SPI_IOC_MESSAGE(n) ioctl commands specially in the compat_ioctl handler, calling new function spidev_compat_ioctl_message() to handle them. This processes them in the same way as the unlocked_ioctl handler except that it uses compat_ptr() to convert the tx_buf and rx_buf members of each struct spi_ioc_transfer element. To save code, factor out part of the unlocked_ioctl handler into a new function spidev_get_ioc_message(). This checks the ioctl command code is a valid SPI_IOC_MESSAGE(n), determines n and copies the array of n struct spi_ioc_transfer elements from userspace into dynamically allocated memory, returning either a pointer to the memory, an ERR_PTR(-err) value, or NULL (for SPI_IOC_MESSAGE(0)). Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Mark Brown <broonie@kernel.org>
2015-01-30 11:43:33 -07:00
return -ESHUTDOWN;
}
spi: spidev: Convert buf pointers for 32-bit compat SPI_IOC_MESSAGE(n) The SPI_IOC_MESSAGE(n) ioctl commands' argument points to an array of n struct spi_ioc_transfer elements. The spidev's compat_ioctl handler just converts this pointer and passes it on to the unlocked_ioctl handler to process it. The tx_buf and rx_buf members of struct spi_ioc_transfer are of type __u64 and hold pointer values. A 32-bit userspace application running in a 64-bit kernel might not have widened the 32-bit pointers correctly for the kernel. The application might have sign-extended the pointer to when the kernel expects it to be zero-extended, or vice versa, leading to an -EFAULT being returned by spidev_message() if the widened pointer is invalid. Handle the SPI_IOC_MESSAGE(n) ioctl commands specially in the compat_ioctl handler, calling new function spidev_compat_ioctl_message() to handle them. This processes them in the same way as the unlocked_ioctl handler except that it uses compat_ptr() to convert the tx_buf and rx_buf members of each struct spi_ioc_transfer element. To save code, factor out part of the unlocked_ioctl handler into a new function spidev_get_ioc_message(). This checks the ioctl command code is a valid SPI_IOC_MESSAGE(n), determines n and copies the array of n struct spi_ioc_transfer elements from userspace into dynamically allocated memory, returning either a pointer to the memory, an ERR_PTR(-err) value, or NULL (for SPI_IOC_MESSAGE(0)). Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Mark Brown <broonie@kernel.org>
2015-01-30 11:43:33 -07:00
/* SPI_IOC_MESSAGE needs the buffer locked "normally" */
mutex_lock(&spidev->buf_lock);
/* Check message and copy into scratch area */
ioc = spidev_get_ioc_message(cmd, u_ioc, &n_ioc);
if (IS_ERR(ioc)) {
retval = PTR_ERR(ioc);
goto done;
}
if (!ioc)
goto done; /* n_ioc is also 0 */
/* Convert buffer pointers */
for (n = 0; n < n_ioc; n++) {
ioc[n].rx_buf = (uintptr_t) compat_ptr(ioc[n].rx_buf);
ioc[n].tx_buf = (uintptr_t) compat_ptr(ioc[n].tx_buf);
}
/* translate to spi_message, execute */
retval = spidev_message(spidev, ioc, n_ioc);
kfree(ioc);
done:
mutex_unlock(&spidev->buf_lock);
spi_dev_put(spi);
mutex_unlock(&spidev->spi_lock);
spi: spidev: Convert buf pointers for 32-bit compat SPI_IOC_MESSAGE(n) The SPI_IOC_MESSAGE(n) ioctl commands' argument points to an array of n struct spi_ioc_transfer elements. The spidev's compat_ioctl handler just converts this pointer and passes it on to the unlocked_ioctl handler to process it. The tx_buf and rx_buf members of struct spi_ioc_transfer are of type __u64 and hold pointer values. A 32-bit userspace application running in a 64-bit kernel might not have widened the 32-bit pointers correctly for the kernel. The application might have sign-extended the pointer to when the kernel expects it to be zero-extended, or vice versa, leading to an -EFAULT being returned by spidev_message() if the widened pointer is invalid. Handle the SPI_IOC_MESSAGE(n) ioctl commands specially in the compat_ioctl handler, calling new function spidev_compat_ioctl_message() to handle them. This processes them in the same way as the unlocked_ioctl handler except that it uses compat_ptr() to convert the tx_buf and rx_buf members of each struct spi_ioc_transfer element. To save code, factor out part of the unlocked_ioctl handler into a new function spidev_get_ioc_message(). This checks the ioctl command code is a valid SPI_IOC_MESSAGE(n), determines n and copies the array of n struct spi_ioc_transfer elements from userspace into dynamically allocated memory, returning either a pointer to the memory, an ERR_PTR(-err) value, or NULL (for SPI_IOC_MESSAGE(0)). Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Mark Brown <broonie@kernel.org>
2015-01-30 11:43:33 -07:00
return retval;
}
static long
spidev_compat_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
{
spi: spidev: Convert buf pointers for 32-bit compat SPI_IOC_MESSAGE(n) The SPI_IOC_MESSAGE(n) ioctl commands' argument points to an array of n struct spi_ioc_transfer elements. The spidev's compat_ioctl handler just converts this pointer and passes it on to the unlocked_ioctl handler to process it. The tx_buf and rx_buf members of struct spi_ioc_transfer are of type __u64 and hold pointer values. A 32-bit userspace application running in a 64-bit kernel might not have widened the 32-bit pointers correctly for the kernel. The application might have sign-extended the pointer to when the kernel expects it to be zero-extended, or vice versa, leading to an -EFAULT being returned by spidev_message() if the widened pointer is invalid. Handle the SPI_IOC_MESSAGE(n) ioctl commands specially in the compat_ioctl handler, calling new function spidev_compat_ioctl_message() to handle them. This processes them in the same way as the unlocked_ioctl handler except that it uses compat_ptr() to convert the tx_buf and rx_buf members of each struct spi_ioc_transfer element. To save code, factor out part of the unlocked_ioctl handler into a new function spidev_get_ioc_message(). This checks the ioctl command code is a valid SPI_IOC_MESSAGE(n), determines n and copies the array of n struct spi_ioc_transfer elements from userspace into dynamically allocated memory, returning either a pointer to the memory, an ERR_PTR(-err) value, or NULL (for SPI_IOC_MESSAGE(0)). Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Mark Brown <broonie@kernel.org>
2015-01-30 11:43:33 -07:00
if (_IOC_TYPE(cmd) == SPI_IOC_MAGIC
&& _IOC_NR(cmd) == _IOC_NR(SPI_IOC_MESSAGE(0))
&& _IOC_DIR(cmd) == _IOC_WRITE)
return spidev_compat_ioc_message(filp, cmd, arg);
return spidev_ioctl(filp, cmd, (unsigned long)compat_ptr(arg));
}
#else
#define spidev_compat_ioctl NULL
#endif /* CONFIG_COMPAT */
static int spidev_open(struct inode *inode, struct file *filp)
{
struct spidev_data *spidev = NULL, *iter;
int status = -ENXIO;
mutex_lock(&device_list_lock);
list_for_each_entry(iter, &device_list, device_entry) {
if (iter->devt == inode->i_rdev) {
status = 0;
spidev = iter;
break;
}
}
if (!spidev) {
pr_debug("spidev: nothing for minor %d\n", iminor(inode));
goto err_find_dev;
}
if (!spidev->tx_buffer) {
spidev->tx_buffer = kmalloc(bufsiz, GFP_KERNEL);
if (!spidev->tx_buffer) {
status = -ENOMEM;
goto err_find_dev;
}
}
if (!spidev->rx_buffer) {
spidev->rx_buffer = kmalloc(bufsiz, GFP_KERNEL);
if (!spidev->rx_buffer) {
status = -ENOMEM;
goto err_alloc_rx_buf;
}
}
spidev->users++;
filp->private_data = spidev;
*: convert stream-like files from nonseekable_open -> stream_open Using scripts/coccinelle/api/stream_open.cocci added in 10dce8af3422 ("fs: stream_open - opener for stream-like files so that read and write can run simultaneously without deadlock"), search and convert to stream_open all in-kernel nonseekable_open users for which read and write actually do not depend on ppos and where there is no other methods in file_operations which assume @offset access. I've verified each generated change manually - that it is correct to convert - and each other nonseekable_open instance left - that it is either not correct to convert there, or that it is not converted due to current stream_open.cocci limitations. The script also does not convert files that should be valid to convert, but that currently have .llseek = noop_llseek or generic_file_llseek for unknown reason despite file being opened with nonseekable_open (e.g. drivers/input/mousedev.c) Among cases converted 14 were potentially vulnerable to read vs write deadlock (see details in 10dce8af3422): drivers/char/pcmcia/cm4000_cs.c:1685:7-23: ERROR: cm4000_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix. drivers/gnss/core.c:45:1-17: ERROR: gnss_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix. drivers/hid/uhid.c:635:1-17: ERROR: uhid_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix. drivers/infiniband/core/user_mad.c:988:1-17: ERROR: umad_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix. drivers/input/evdev.c:527:1-17: ERROR: evdev_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix. drivers/input/misc/uinput.c:401:1-17: ERROR: uinput_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix. drivers/isdn/capi/capi.c:963:8-24: ERROR: capi_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix. drivers/leds/uleds.c:77:1-17: ERROR: uleds_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix. drivers/media/rc/lirc_dev.c:198:1-17: ERROR: lirc_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix. drivers/s390/char/fs3270.c:488:1-17: ERROR: fs3270_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix. drivers/usb/misc/ldusb.c:310:1-17: ERROR: ld_usb_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix. drivers/xen/evtchn.c:667:8-24: ERROR: evtchn_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix. net/batman-adv/icmp_socket.c:80:1-17: ERROR: batadv_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix. net/rfkill/core.c:1146:8-24: ERROR: rfkill_fops: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix. and the rest were just safe to convert to stream_open because their read and write do not use ppos at all and corresponding file_operations do not have methods that assume @offset file access(*): arch/powerpc/platforms/52xx/mpc52xx_gpt.c:631:8-24: WARNING: mpc52xx_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. arch/powerpc/platforms/cell/spufs/file.c:591:8-24: WARNING: spufs_ibox_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open. arch/powerpc/platforms/cell/spufs/file.c:591:8-24: WARNING: spufs_ibox_stat_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open. arch/powerpc/platforms/cell/spufs/file.c:591:8-24: WARNING: spufs_mbox_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open. arch/powerpc/platforms/cell/spufs/file.c:591:8-24: WARNING: spufs_mbox_stat_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open. arch/powerpc/platforms/cell/spufs/file.c:591:8-24: WARNING: spufs_wbox_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. arch/powerpc/platforms/cell/spufs/file.c:591:8-24: WARNING: spufs_wbox_stat_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open. arch/um/drivers/harddog_kern.c:88:8-24: WARNING: harddog_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. arch/x86/kernel/cpu/microcode/core.c:430:33-49: WARNING: microcode_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/char/ds1620.c:215:8-24: WARNING: ds1620_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/char/dtlk.c:301:1-17: WARNING: dtlk_fops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open. drivers/char/ipmi/ipmi_watchdog.c:840:9-25: WARNING: ipmi_wdog_fops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open. drivers/char/pcmcia/scr24x_cs.c:95:8-24: WARNING: scr24x_fops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open. drivers/char/tb0219.c:246:9-25: WARNING: tb0219_fops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open. drivers/firewire/nosy.c:306:8-24: WARNING: nosy_ops: .read() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/hwmon/fschmd.c:840:8-24: WARNING: watchdog_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/hwmon/w83793.c:1344:8-24: WARNING: watchdog_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/infiniband/core/ucma.c:1747:8-24: WARNING: ucma_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/infiniband/core/ucm.c:1178:8-24: WARNING: ucm_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/infiniband/core/uverbs_main.c:1086:8-24: WARNING: uverbs_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/input/joydev.c:282:1-17: WARNING: joydev_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/pci/switch/switchtec.c:393:1-17: WARNING: switchtec_fops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open. drivers/platform/chrome/cros_ec_debugfs.c:135:8-24: WARNING: cros_ec_console_log_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/rtc/rtc-ds1374.c:470:9-25: WARNING: ds1374_wdt_fops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open. drivers/rtc/rtc-m41t80.c:805:9-25: WARNING: wdt_fops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open. drivers/s390/char/tape_char.c:293:2-18: WARNING: tape_fops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open. drivers/s390/char/zcore.c:194:8-24: WARNING: zcore_reipl_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/s390/crypto/zcrypt_api.c:528:8-24: WARNING: zcrypt_fops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open. drivers/spi/spidev.c:594:1-17: WARNING: spidev_fops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open. drivers/staging/pi433/pi433_if.c:974:1-17: WARNING: pi433_fops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/acquirewdt.c:203:8-24: WARNING: acq_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/advantechwdt.c:202:8-24: WARNING: advwdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/alim1535_wdt.c:252:8-24: WARNING: ali_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/alim7101_wdt.c:217:8-24: WARNING: wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/ar7_wdt.c:166:8-24: WARNING: ar7_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/at91rm9200_wdt.c:113:8-24: WARNING: at91wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/ath79_wdt.c:135:8-24: WARNING: ath79_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/bcm63xx_wdt.c:119:8-24: WARNING: bcm63xx_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/cpu5wdt.c:143:8-24: WARNING: cpu5wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/cpwd.c:397:8-24: WARNING: cpwd_fops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/eurotechwdt.c:319:8-24: WARNING: eurwdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/f71808e_wdt.c:528:8-24: WARNING: watchdog_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/gef_wdt.c:232:8-24: WARNING: gef_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/geodewdt.c:95:8-24: WARNING: geodewdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/ib700wdt.c:241:8-24: WARNING: ibwdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/ibmasr.c:326:8-24: WARNING: asr_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/indydog.c:80:8-24: WARNING: indydog_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/intel_scu_watchdog.c:307:8-24: WARNING: intel_scu_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/iop_wdt.c:104:8-24: WARNING: iop_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/it8712f_wdt.c:330:8-24: WARNING: it8712f_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/ixp4xx_wdt.c:68:8-24: WARNING: ixp4xx_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/ks8695_wdt.c:145:8-24: WARNING: ks8695wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/m54xx_wdt.c:88:8-24: WARNING: m54xx_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/machzwd.c:336:8-24: WARNING: zf_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/mixcomwd.c:153:8-24: WARNING: mixcomwd_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/mtx-1_wdt.c:121:8-24: WARNING: mtx1_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/mv64x60_wdt.c:136:8-24: WARNING: mv64x60_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/nuc900_wdt.c:134:8-24: WARNING: nuc900wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/nv_tco.c:164:8-24: WARNING: nv_tco_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/pc87413_wdt.c:289:8-24: WARNING: pc87413_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/pcwd.c:698:8-24: WARNING: pcwd_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/pcwd.c:737:8-24: WARNING: pcwd_temp_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/pcwd_pci.c:581:8-24: WARNING: pcipcwd_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/pcwd_pci.c:623:8-24: WARNING: pcipcwd_temp_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/pcwd_usb.c:488:8-24: WARNING: usb_pcwd_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/pcwd_usb.c:527:8-24: WARNING: usb_pcwd_temperature_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/pika_wdt.c:121:8-24: WARNING: pikawdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/pnx833x_wdt.c:119:8-24: WARNING: pnx833x_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/rc32434_wdt.c:153:8-24: WARNING: rc32434_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/rdc321x_wdt.c:145:8-24: WARNING: rdc321x_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/riowd.c:79:1-17: WARNING: riowd_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/sa1100_wdt.c:62:8-24: WARNING: sa1100dog_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/sbc60xxwdt.c:211:8-24: WARNING: wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/sbc7240_wdt.c:139:8-24: WARNING: wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/sbc8360.c:274:8-24: WARNING: sbc8360_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/sbc_epx_c3.c:81:8-24: WARNING: epx_c3_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/sbc_fitpc2_wdt.c:78:8-24: WARNING: fitpc2_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/sb_wdog.c:108:1-17: WARNING: sbwdog_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/sc1200wdt.c:181:8-24: WARNING: sc1200wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/sc520_wdt.c:261:8-24: WARNING: wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/sch311x_wdt.c:319:8-24: WARNING: sch311x_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/scx200_wdt.c:105:8-24: WARNING: scx200_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/smsc37b787_wdt.c:369:8-24: WARNING: wb_smsc_wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/w83877f_wdt.c:227:8-24: WARNING: wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/w83977f_wdt.c:301:8-24: WARNING: wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/wafer5823wdt.c:200:8-24: WARNING: wafwdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/watchdog_dev.c:828:8-24: WARNING: watchdog_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/wdrtas.c:379:8-24: WARNING: wdrtas_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/wdrtas.c:445:8-24: WARNING: wdrtas_temp_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/wdt285.c:104:1-17: WARNING: watchdog_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/wdt977.c:276:8-24: WARNING: wdt977_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/wdt.c:424:8-24: WARNING: wdt_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/wdt.c:484:8-24: WARNING: wdt_temp_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/wdt_pci.c:464:8-24: WARNING: wdtpci_fops: .write() has stream semantic; safe to change nonseekable_open -> stream_open. drivers/watchdog/wdt_pci.c:527:8-24: WARNING: wdtpci_temp_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open. net/batman-adv/log.c:105:1-17: WARNING: batadv_log_fops: .read() has stream semantic; safe to change nonseekable_open -> stream_open. sound/core/control.c:57:7-23: WARNING: snd_ctl_f_ops: .read() has stream semantic; safe to change nonseekable_open -> stream_open. sound/core/rawmidi.c:385:7-23: WARNING: snd_rawmidi_f_ops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open. sound/core/seq/seq_clientmgr.c:310:7-23: WARNING: snd_seq_f_ops: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open. sound/core/timer.c:1428:7-23: WARNING: snd_timer_f_ops: .read() has stream semantic; safe to change nonseekable_open -> stream_open. One can also recheck/review the patch via generating it with explanation comments included via $ make coccicheck MODE=patch COCCI=scripts/coccinelle/api/stream_open.cocci SPFLAGS="-D explain" (*) This second group also contains cases with read/write deadlocks that stream_open.cocci don't yet detect, but which are still valid to convert to stream_open since ppos is not used. For example drivers/pci/switch/switchtec.c calls wait_for_completion_interruptible() in its .read, but stream_open.cocci currently detects only "wait_event*" as blocking. Cc: Michael Kerrisk <mtk.manpages@gmail.com> Cc: Yongzhi Pan <panyongzhi@gmail.com> Cc: Jonathan Corbet <corbet@lwn.net> Cc: David Vrabel <david.vrabel@citrix.com> Cc: Juergen Gross <jgross@suse.com> Cc: Miklos Szeredi <miklos@szeredi.hu> Cc: Tejun Heo <tj@kernel.org> Cc: Kirill Tkhai <ktkhai@virtuozzo.com> Cc: Arnd Bergmann <arnd@arndb.de> Cc: Christoph Hellwig <hch@lst.de> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Julia Lawall <Julia.Lawall@lip6.fr> Cc: Nikolaus Rath <Nikolaus@rath.org> Cc: Han-Wen Nienhuys <hanwen@google.com> Cc: Anatolij Gustschin <agust@denx.de> Cc: Jeff Dike <jdike@addtoit.com> Cc: Richard Weinberger <richard@nod.at> Cc: Anton Ivanov <anton.ivanov@cambridgegreys.com> Cc: Borislav Petkov <bp@alien8.de> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Ingo Molnar <mingo@redhat.com> Cc: "James R. Van Zandt" <jrv@vanzandt.mv.com> Cc: Corey Minyard <minyard@acm.org> Cc: Harald Welte <laforge@gnumonks.org> Acked-by: Lubomir Rintel <lkundrak@v3.sk> [scr24x_cs] Cc: Stefan Richter <stefanr@s5r6.in-berlin.de> Cc: Johan Hovold <johan@kernel.org> Cc: David Herrmann <dh.herrmann@googlemail.com> Cc: Jiri Kosina <jikos@kernel.org> Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com> Cc: Jean Delvare <jdelvare@suse.com> Acked-by: Guenter Roeck <linux@roeck-us.net> [watchdog/* hwmon/*] Cc: Rudolf Marek <r.marek@assembler.cz> Cc: Dmitry Torokhov <dmitry.torokhov@gmail.com> Cc: Karsten Keil <isdn@linux-pingi.de> Cc: Jacek Anaszewski <jacek.anaszewski@gmail.com> Cc: Pavel Machek <pavel@ucw.cz> Cc: Mauro Carvalho Chehab <mchehab@kernel.org> Cc: Kurt Schwemmer <kurt.schwemmer@microsemi.com> Acked-by: Logan Gunthorpe <logang@deltatee.com> [drivers/pci/switch/switchtec] Acked-by: Bjorn Helgaas <bhelgaas@google.com> [drivers/pci/switch/switchtec] Cc: Benson Leung <bleung@chromium.org> Acked-by: Enric Balletbo i Serra <enric.balletbo@collabora.com> [platform/chrome] Cc: Alessandro Zummo <a.zummo@towertech.it> Acked-by: Alexandre Belloni <alexandre.belloni@bootlin.com> [rtc/*] Cc: Mark Brown <broonie@kernel.org> Cc: Wim Van Sebroeck <wim@linux-watchdog.org> Cc: Florian Fainelli <f.fainelli@gmail.com> Cc: bcm-kernel-feedback-list@broadcom.com Cc: Wan ZongShun <mcuos.com@gmail.com> Cc: Zwane Mwaikambo <zwanem@gmail.com> Cc: Marek Lindner <mareklindner@neomailbox.ch> Cc: Simon Wunderlich <sw@simonwunderlich.de> Cc: Antonio Quartulli <a@unstable.cc> Cc: "David S. Miller" <davem@davemloft.net> Cc: Johannes Berg <johannes@sipsolutions.net> Cc: Jaroslav Kysela <perex@perex.cz> Cc: Takashi Iwai <tiwai@suse.com> Signed-off-by: Kirill Smelkov <kirr@nexedi.com>
2019-03-26 13:51:19 -07:00
stream_open(inode, filp);
mutex_unlock(&device_list_lock);
return 0;
err_alloc_rx_buf:
kfree(spidev->tx_buffer);
spidev->tx_buffer = NULL;
err_find_dev:
mutex_unlock(&device_list_lock);
return status;
}
static int spidev_release(struct inode *inode, struct file *filp)
{
struct spidev_data *spidev;
int dofree;
mutex_lock(&device_list_lock);
spidev = filp->private_data;
filp->private_data = NULL;
mutex_lock(&spidev->spi_lock);
/* ... after we unbound from the underlying device? */
dofree = (spidev->spi == NULL);
mutex_unlock(&spidev->spi_lock);
/* last close? */
spidev->users--;
if (!spidev->users) {
kfree(spidev->tx_buffer);
spidev->tx_buffer = NULL;
kfree(spidev->rx_buffer);
spidev->rx_buffer = NULL;
if (dofree)
kfree(spidev);
else
spidev->speed_hz = spidev->spi->max_speed_hz;
}
#ifdef CONFIG_SPI_SLAVE
if (!dofree)
spi_target_abort(spidev->spi);
#endif
mutex_unlock(&device_list_lock);
return 0;
}
static const struct file_operations spidev_fops = {
.owner = THIS_MODULE,
/* REVISIT switch to aio primitives, so that userspace
* gets more complete API coverage. It'll simplify things
* too, except for the locking.
*/
.write = spidev_write,
.read = spidev_read,
.unlocked_ioctl = spidev_ioctl,
.compat_ioctl = spidev_compat_ioctl,
.open = spidev_open,
.release = spidev_release,
};
/*-------------------------------------------------------------------------*/
/* The main reason to have this class is to make mdev/udev create the
* /dev/spidevB.C character device nodes exposing our userspace API.
* It also simplifies memory management.
*/
static const struct class spidev_class = {
.name = "spidev",
};
static const struct spi_device_id spidev_spi_ids[] = {
{ .name = "bh2228fv" },
{ .name = "dh2228fv" },
{ .name = "jg10309-01" },
{ .name = "ltc2488" },
{ .name = "sx1301" },
{ .name = "bk4" },
{ .name = "dhcom-board" },
{ .name = "m53cpld" },
{ .name = "spi-petra" },
{ .name = "spi-authenta" },
{ .name = "em3581" },
{ .name = "si3210" },
{},
};
MODULE_DEVICE_TABLE(spi, spidev_spi_ids);
/*
* spidev should never be referenced in DT without a specific compatible string,
* it is a Linux implementation thing rather than a description of the hardware.
*/
static int spidev_of_check(struct device *dev)
{
if (device_property_match_string(dev, "compatible", "spidev") < 0)
return 0;
dev_err(dev, "spidev listed directly in DT is not supported\n");
return -EINVAL;
}
static const struct of_device_id spidev_dt_ids[] = {
{ .compatible = "cisco,spi-petra", .data = &spidev_of_check },
{ .compatible = "dh,dhcom-board", .data = &spidev_of_check },
{ .compatible = "elgin,jg10309-01", .data = &spidev_of_check },
{ .compatible = "lineartechnology,ltc2488", .data = &spidev_of_check },
{ .compatible = "lwn,bk4", .data = &spidev_of_check },
{ .compatible = "menlo,m53cpld", .data = &spidev_of_check },
{ .compatible = "micron,spi-authenta", .data = &spidev_of_check },
{ .compatible = "rohm,bh2228fv", .data = &spidev_of_check },
{ .compatible = "rohm,dh2228fv", .data = &spidev_of_check },
{ .compatible = "semtech,sx1301", .data = &spidev_of_check },
{ .compatible = "silabs,em3581", .data = &spidev_of_check },
{ .compatible = "silabs,si3210", .data = &spidev_of_check },
{},
};
MODULE_DEVICE_TABLE(of, spidev_dt_ids);
/* Dummy SPI devices not to be used in production systems */
static int spidev_acpi_check(struct device *dev)
{
dev_warn(dev, "do not use this driver in production systems!\n");
return 0;
}
static const struct acpi_device_id spidev_acpi_ids[] = {
/*
* The ACPI SPT000* devices are only meant for development and
* testing. Systems used in production should have a proper ACPI
* description of the connected peripheral and they should also use
* a proper driver instead of poking directly to the SPI bus.
*/
{ "SPT0001", (kernel_ulong_t)&spidev_acpi_check },
{ "SPT0002", (kernel_ulong_t)&spidev_acpi_check },
{ "SPT0003", (kernel_ulong_t)&spidev_acpi_check },
{},
};
MODULE_DEVICE_TABLE(acpi, spidev_acpi_ids);
/*-------------------------------------------------------------------------*/
static int spidev_probe(struct spi_device *spi)
{
int (*match)(struct device *dev);
struct spidev_data *spidev;
int status;
unsigned long minor;
match = device_get_match_data(&spi->dev);
if (match) {
status = match(&spi->dev);
if (status)
return status;
}
/* Allocate driver data */
spidev = kzalloc(sizeof(*spidev), GFP_KERNEL);
if (!spidev)
return -ENOMEM;
/* Initialize the driver data */
spidev->spi = spi;
mutex_init(&spidev->spi_lock);
mutex_init(&spidev->buf_lock);
INIT_LIST_HEAD(&spidev->device_entry);
/* If we can allocate a minor number, hook up this device.
* Reusing minors is fine so long as udev or mdev is working.
*/
mutex_lock(&device_list_lock);
minor = find_first_zero_bit(minors, N_SPI_MINORS);
if (minor < N_SPI_MINORS) {
struct device *dev;
spidev->devt = MKDEV(SPIDEV_MAJOR, minor);
dev = device_create(&spidev_class, &spi->dev, spidev->devt,
spidev, "spidev%d.%d",
spi->controller->bus_num, spi_get_chipselect(spi, 0));
status = PTR_ERR_OR_ZERO(dev);
} else {
dev_dbg(&spi->dev, "no minor number available!\n");
status = -ENODEV;
}
if (status == 0) {
set_bit(minor, minors);
list_add(&spidev->device_entry, &device_list);
}
mutex_unlock(&device_list_lock);
spidev->speed_hz = spi->max_speed_hz;
spi: avoid spidev crash when device is removed I saw a kernel oops in spidev_remove() when a spidev device was registered and I unloaded the SPI master driver: Unable to handle kernel paging request for data at address 0x00000004 Faulting instruction address: 0xc01c0c50 Oops: Kernel access of bad area, sig: 11 [#1] CDSPR Modules linked in: spi_ppc4xx(-) NIP: c01c0c50 LR: c01bf9e4 CTR: c01c0c34 REGS: cec89c30 TRAP: 0300 Not tainted (2.6.27.3izt) MSR: 00021000 <ME> CR: 24000228 XER: 20000007 DEAR: 00000004, ESR: 00800000 TASK = cf889040[2070] 'rmmod' THREAD: cec88000 GPR00: 00000000 cec89ce0 cf889040 cec8e000 00000004 cec8e000 ffffffff 00000000 GPR08: 0000001c c0336380 00000000 c01c0c34 00000001 1001a338 100e0000 100df49c GPR16: 100b54c0 100df49c 100ddd20 100f05a8 100b5340 100efd68 00000000 00000000 GPR24: 100ec008 100f0428 c0327788 c0327794 cec8e0ac cec8e000 c0336380 00000000 NIP [c01c0c50] spidev_remove+0x1c/0xe4 LR [c01bf9e4] spi_drv_remove+0x2c/0x3c Call Trace: [cec89d00] [c01bf9e4] spi_drv_remove+0x2c/0x3c [cec89d10] [c01859a0] __device_release_driver+0x78/0xb4 [cec89d20] [c0185ab0] device_release_driver+0x28/0x44 [cec89d40] [c0184be8] bus_remove_device+0xac/0xd8 [cec89d60] [c0183094] device_del+0x100/0x194 [cec89d80] [c0183140] device_unregister+0x18/0x30 [cec89da0] [c01bf30c] __unregister+0x20/0x34 [cec89db0] [c0182778] device_for_each_child+0x38/0x74 [cec89de0] [c01bf2d0] spi_unregister_master+0x28/0x44 [cec89e00] [c01bfeac] spi_bitbang_stop+0x1c/0x58 [cec89e20] [d908a5e0] spi_ppc4xx_of_remove+0x24/0x7c [spi_ppc4xx] [...] IMHO a call to spi_set_drvdata() is missing in spidev_probe(). The patch below helped. Signed-off-by: Wolfgang Ocker <weo@reccoware.de> Signed-off-by: David Brownell <dbrownell@users.sourceforge.net> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-12-01 14:13:52 -07:00
if (status == 0)
spi_set_drvdata(spi, spidev);
else
kfree(spidev);
return status;
}
static void spidev_remove(struct spi_device *spi)
{
struct spidev_data *spidev = spi_get_drvdata(spi);
/* prevent new opens */
mutex_lock(&device_list_lock);
/* make sure ops on existing fds can abort cleanly */
mutex_lock(&spidev->spi_lock);
spidev->spi = NULL;
mutex_unlock(&spidev->spi_lock);
list_del(&spidev->device_entry);
device_destroy(&spidev_class, spidev->devt);
clear_bit(MINOR(spidev->devt), minors);
if (spidev->users == 0)
kfree(spidev);
mutex_unlock(&device_list_lock);
}
static struct spi_driver spidev_spi_driver = {
.driver = {
.name = "spidev",
.of_match_table = spidev_dt_ids,
.acpi_match_table = spidev_acpi_ids,
},
.probe = spidev_probe,
.remove = spidev_remove,
.id_table = spidev_spi_ids,
/* NOTE: suspend/resume methods are not necessary here.
* We don't do anything except pass the requests to/from
* the underlying controller. The refrigerator handles
* most issues; the controller driver handles the rest.
*/
};
/*-------------------------------------------------------------------------*/
static int __init spidev_init(void)
{
int status;
/* Claim our 256 reserved device numbers. Then register a class
* that will key udev/mdev to add/remove /dev nodes. Last, register
* the driver which manages those device numbers.
*/
status = register_chrdev(SPIDEV_MAJOR, "spi", &spidev_fops);
if (status < 0)
return status;
status = class_register(&spidev_class);
if (status) {
unregister_chrdev(SPIDEV_MAJOR, spidev_spi_driver.driver.name);
return status;
}
status = spi_register_driver(&spidev_spi_driver);
if (status < 0) {
class_unregister(&spidev_class);
unregister_chrdev(SPIDEV_MAJOR, spidev_spi_driver.driver.name);
}
return status;
}
module_init(spidev_init);
static void __exit spidev_exit(void)
{
spi_unregister_driver(&spidev_spi_driver);
class_unregister(&spidev_class);
unregister_chrdev(SPIDEV_MAJOR, spidev_spi_driver.driver.name);
}
module_exit(spidev_exit);
MODULE_AUTHOR("Andrea Paterniani, <a.paterniani@swapp-eng.it>");
MODULE_DESCRIPTION("User mode SPI device interface");
MODULE_LICENSE("GPL");
MODULE_ALIAS("spi:spidev");